tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NPF: TCP options



In NPF we don't check the length of the TCPOPT_MAXSEG and TCPOPT_WINDOW
options. That's a problem, if the length is bogus we should ignore these
options, just like the kernel does in tcp_dooptions().

It seems to me one could bypass max-mss clamping, by for example giving

	nptr[0] = TCPOPT_MAXSEG
	nptr[1] = TCPOLEN_MAXSEG + 1 = 5
	nptr[2,3] = the maxseg option
	nptr[4] = TCPOPT_EOL
	nptr[5] = TCPOPT_MAXSEG
	nptr[6] = TCPOLEN_MAXSEG = 4
	nptr[7,8] = the maxseg option

NPF will see the two first options here, and will stop iterating after
TCPOPT_EOL. The kernel, however, won't see TCPOPT_EOL, and will handle the
third option.

I've written [1], which fixes that. Basically we fetch nptr[1] (length),
sanitize it, and then use it to ignore options with the incorrect length.

Maxime

[1] http://m00nbsd.net/garbage/npf/tcpopt.diff


Home | Main Index | Thread Index | Old Index