tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NPF: TCP options
In NPF we don't check the length of the TCPOPT_MAXSEG and TCPOPT_WINDOW
options. That's a problem, if the length is bogus we should ignore these
options, just like the kernel does in tcp_dooptions().
It seems to me one could bypass max-mss clamping, by for example giving
nptr[0] = TCPOPT_MAXSEG
nptr[1] = TCPOLEN_MAXSEG + 1 = 5
nptr[2,3] = the maxseg option
nptr[4] = TCPOPT_EOL
nptr[5] = TCPOPT_MAXSEG
nptr[6] = TCPOLEN_MAXSEG = 4
nptr[7,8] = the maxseg option
NPF will see the two first options here, and will stop iterating after
TCPOPT_EOL. The kernel, however, won't see TCPOPT_EOL, and will handle the
third option.
I've written [1], which fixes that. Basically we fetch nptr[1] (length),
sanitize it, and then use it to ignore options with the incorrect length.
Maxime
[1] http://m00nbsd.net/garbage/npf/tcpopt.diff
Home |
Main Index |
Thread Index |
Old Index