Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations

[John Haxby <john.haxby () oracle com>]

On 03/02/12 10:37, Marcus Meissner wrote:
> Hi,
>
> After a customer query likely coming from erroneous Security Scanner output,
>
> this issue from 2002 has no CVE id yet as far as I see:
>
> http://www.kb.cert.org/vuls/id/464113
>
> It describes a problem where firewalls might let some TCP flags combinations
> pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
> accept a TCP session it might not have accepted otherwise.
>
> The protection added in Linux 2.4.20 is checking for the RST (reset) flag
> when a SYN packet is received, which was I think the main attack scenario.
>
> The relevant part of the 2.4.20 patch is:
>
> @@ -3667,6 +3693,9 @@
>                 if(th->ack)
>                         return 1;
>
> +               if(th->rst)
> +                       goto discard;
> +
>                 if(th->syn) {
>                         if(tp->af_specific->conn_request(sk, skb) < 0)
>                                 return 1;
>
>
> The check still exists in current mainline git, so the issue is still fixed.
>
> Ciao, Marcus

I suspect that this actually came from here:

http://www.nessus.org/plugins/index.php?view=single&id=11618

It's entirely possible that there's a typo in the web page because it
talks about TCP+FIN but refers to web pages dealing with the much older
TCP+RST.

There is actually a SYN+FIN discard fix in the mainline kernel which
would appear to be a DoS ("Denys Fedoryshchenko reported that SYN+FIN
attacks were bringing his linux machines to their limits.") should we
have a CVE for this issue?  (I'll ask in a separate message if so.)

jch