[tcpm] TCP segment reassembly vulnerability

Loganaden Velvindron <loganaden@gmail.com> Thu, 09 August 2018 18:43 UTC

MIME-Version: 1.0
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Thu, 09 Aug 2018 22:43:10 +0400
Message-ID: <CAOp4FwRpO1t5hqv-QGfDi3G7SSRy43Kf+GEirDT24GFJh8r03Q@mail.gmail.com>
To: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/jqZPldrf9uG-HQQdGAovzKPhgak>
Subject: [tcpm] TCP segment reassembly vulnerability
Precedence: list

It appears to be an issue on multiple implementations. AFAIK, it's due
to lack of limits for the reassembly logic when the segments enter the
queue.

FreeBSD:
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc

Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

Perhaps it might be worth documenting those solutions and possible workarounds.


Thoughts ?

[tcpm] TCP segment reassembly vulnerability Loganaden Velvindron
Re: [tcpm] TCP segment reassembly vulnerability Caitlin Bestler