Custom Search
Thursday, March 11, 2004
New patch, 018_tcp.patch, applied tonight on my laptop, still running
OpenBSD 3.3 with previous applicable patches applied. Here's the
basic info:
------------
OpenBSD's TCP/IP stack did not impose limits on how many out-of-order TCP segments are queued in the system.
If an attacker was allowed to connect to an open TCP port, he could send out-of-order TCP segments and trick the system into using all available memory buffers. Packet handling would be impaired, and new connections would fail until the the attacking TCP connection is closed.
The problem is fixed in -current, 3.4-stable and 3.3-stable.
Patches are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/013_tcp.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/018_tcp.patch
------------
And, for those who might have problems following the directions in the
patch, there are some good instructions at:
http://www.deadly.org/commentShow.php3?sid=20040308194719&pid=242
They are as follows:
From the Patch itself.
Apply by doing:
cd /usr/src
patch -p0 < 013_tcp.patch
Rebuild your kernel.
Update headers.
make includes
Then rebuild and install sysctl:
cd sbin/sysctl
make depend
make
make install
Analysis follows :-
first we change our working directory to /usr/src.
next we ally the patch using the patch program and redirect a patch file
to it. Assuming that succeeded, rebuild and install your kernel.
Now the next line is implied not given.
cd /usr/src; make inludes
"includes" is a target in the /usr/src/Makefile. It will install those lovely ".h"
files that are needed, just as "install" is a target. Remember doing things
like "make install"?
Next rebuild and install sysctl.
Oh don't forget to reboot at some point to have the new kernel load too.
------------
Hope the instructions may help someone along the way. I was a little in
the dark about the "make includes".