diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-07-10 18:45:32 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-07-10 18:45:32 +0000 |
commit | ac073285f00cf77a02c7c85707974bee0a471ed1 (patch) | |
tree | 434f44eb5ee5d649105c4a8de3b27bb85de981e8 /usr.bin/nc | |
parent | d8bf193ec09f26b570daa057ab9961744de1794d (diff) |
Received SACK options are managed by a linked list at the TCP socket.
There is a global tunable limit net.inet.tcp.sackholelimit, default
is 32768. If an attacker manages to attach all these sack holes
to a few TCP connections, the lists may grow long. Traversing them
might cause higher CPU consumption on the victim machine. In
practice such a situation is hard to create as the TCP retransmit
and 2*msl timer flush the list periodically. For additional
protection, enforce a per connection limit of 128 SACK holes in the
list.
reported by Reuven Plevinsky and Tal Vainshtein
discussed with claudio@ and procter@; OK deraadt@
Diffstat (limited to 'usr.bin/nc')
0 files changed, 0 insertions, 0 deletions