Archive of FreeBSD Security general posting, FreeBSD Security Advisory FreeBSD-SA-02:20.syncache

17/04/02, FreeBSD Security Advisory FreeBSD-SA-02:20.syncache
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Date: Tue, 16 Apr 2002 14:03:49 -0700 (PDT)
List-archive: <> (Web Archive)
List-help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-id: <freebsd-security-notifications.FreeBSD.ORG>
List-subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security-notifications>
List-unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security-notifications>
Reply-to: postmaster@FreeBSD.ORG
Sender: owner-freebsd-security-notifications@FreeBSD.ORG


FreeBSD-SA-02:20                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          syncache/syncookies denial of service

Category:       core
Module:         net
Announced:      2002-04-16
Credits:        Alan Judge <>
                Dima Ruban <>
Affects:        FreeBSD 4.5-RELEASE
                FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC
                FreeBSD 4.5-STABLE prior to the correction date
Corrected:      2002-02-20 16:48:49 UTC (RELENG_4)
                2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
FreeBSD only:   YES

I.   Background

The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are
features of the TCP/IP stack intended to improve resistance to a class
of denial of service attacks known as SYN floods.

II.  Problem Description

Two related problems with syncache were triggered when syncookies were

1) When a SYN was accepted via a syncookie, it used an uninitialized
pointer to find the TCP options for the new socket.  This pointer may
be a null pointer, which will cause the machine to crash.

2) A syncache entry is created when a SYN arrives on a listen socket.
If the application which created the listen socket was killed and
restarted --- and therefore recreated the listen socket with a
different inpcb --- an ACK (or duplicate SYN) which later arrived and
matched the existing syncache entry would cause a reference to the old
inpcb pointer.  Depending on the pointer's contents, this might result
in a system crash.

Because syncache/syncookies support was added prior to the release of
FreeBSD 4.5-RELEASE, no other releases are affected.

III. Impact

Legitimate TCP/IP traffic may cause the machine to crash.

IV.  Workaround

The first issue described may be worked around by disabling syncookies
using sysctl.  Issue the following command as root:

  # sysctl -w net.inet.tcp.syncookies=0

However, there is no workaround for the second issue.

V.   Solution

1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5
security branch dated after the respective correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

# fetch
# fetch

This patch has been verified to apply to 4.5-RELEASE only.

Verify the detached PGP signature using your PGP utility.

Execute the following commands as root:

# cd /usr/src
# patch -p < /path/to/patch

Recompile your kernel as described in and reboot the

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- -------------------------------------------------------------------------
- -------------------------------------------------------------------------

VII. References

Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see


To Unsubscribe: send mail to
with "unsubscribe freebsd-security-notifications" in the body of the message

Previous message sorted by date: FreeBSD Ports Security Advisory FreeBSD-SA-02:19.squid
Next message sorted by date: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
Previous message sorted by thread: FreeBSD Ports Security Advisory FreeBSD-SA-02:19.squid
Next message by thread: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2003