Are you perhaps confusing IP Fragment Reassembly with the similar but unrelated TCP Segment Reassembly? My understanding is that TCP stacks normally try very hard not to generate IP fragments in a TCP stream. It appears that this bug report relates only to TCP Reassembly, and has nothing to do with IP Fragments. But perhaps I am misreading it? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ronald F. Guilmette Sent: Thursday, May 01, 2014 2:38 PM To: [email protected] Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp In message <[email protected]>, Xin Li <[email protected]> wrote: >On 05/01/14 07:19, Karl Pielorz wrote: >> >> >> --On 30 April 2014 04:35:10 +0000 FreeBSD Security Advisories >> <[email protected]> wrote: >> >>> II. Problem Description >>> >>> FreeBSD may add a reassemble queue entry on the stack into the >>> segment list when the reassembly queue reaches its limit. The >>> memory from the stack is undefined after the function returns. >>> Subsequent iterations of the reassembly function will attempt to >>> access this entry. >> >> Hi, >> >> Does this require an established TCP session to be present? - i.e. >> If you have a host which provides no external TCP sessions (i.e. >> replies 'Connection Refused' / drops the initial SYN) would that >> still be potentially exploitable? > >No. An established TCP session is required. I also have a question.... If one manages a system where (a) all local user accounts are completely and 100% trustworthy and where (b) one has in place ipfw rules which reject all incoming packet *fragments* on all outward-facing interfaces, then is this security problem (relating to the reassembly queue) an issue at all for said system? Or is it rather a non-event in such contexts? Regards, rfg _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]" This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"