COMMAND
	FreeBSD syncache/syncookies denial of service
SYSTEMS AFFECTED
	 FreeBSD 4.5-RELEASE
	 FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC
	 FreeBSD 4.5-STABLE prior to the correction date 
	 Corrected:      2002-02-20 16:48:49 UTC (RELENG_4)
	                 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
PROBLEM
	In FreeBSD Security Advisory FreeBSD-SA-02:20.syncache a  bug  regarding
	syncache and syncookie mechanism has been detected and corrected :
	 Background
	 ==========
	The SYN cache ("syncache") and SYN cookie  mechanism  ("syncookie")  are
	features of the TCP/IP stack intended to improve resistance to  a  class
	of denial of service attacks known as SYN floods.
	 Problem Description
	 ===================
	Two related problems with syncache were triggered when  syncookies  were
	implemented.
	1) When a SYN was accepted via a syncookie,  it  used  an  uninitialized
	pointer to find the TCP options for the new socket. This pointer may  be
	a null pointer, which will cause the machine to crash.
	2) A syncache entry is created when a SYN arrives on  a  listen  socket.
	If the application which  created  the  listen  socket  was  killed  and
	restarted  ---  and  therefore  recreated  the  listen  socket  with   a
	different inpcb --- an ACK (or duplicate SYN) which  later  arrived  and
	matched the existing syncache entry would cause a reference to  the  old
	inpcb pointer. Depending on the pointer's contents,  this  might  result
	in a system crash.
	Because syncache/syncookies support was added prior to  the  release  of
	FreeBSD 4.5-RELEASE, no other releases are affected.
	 Impact
	 ======
	Legitimate TCP/IP traffic may cause the machine to crash.
SOLUTION
	 Workaround
	 ==========
	The first issue described may be worked around by  disabling  syncookies
	using sysctl.  Issue the following command as root:
	
	  # sysctl -w net.inet.tcp.syncookies=0
	
	However, there is no workaround for the second issue.
	 Solution
	 ========
	1) Upgrade your  vulnerable  system  to  4.5-STABLE  or  the  RELENG_4_5
	security branch dated after the respective correction dates.
	2) To patch your present system: download the relevant  patch  from  the
	below location, and execute the following commands as root:
	
	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc
	
	This patch has been verified to apply to 4.5-RELEASE only.
	Verify the detached PGP signature using your PGP utility.
	Execute the following commands as root:
	
	# cd /usr/src
	# patch -p < /path/to/patch
	
	Recompile        your        kernel        as        described        in
	http://www.freebsd.org/handbook/kernelconfig.html   and    reboot    the
	system.
	 Correction details
	 ==================
	The following list contains the revision numbers of each file  that  was
	corrected in the FreeBSD ports collection.
	
	Path                                                             Revision
	  Branch
	- -------------------------------------------------------------------------
	src/sys/conf/newvers.sh
	  RELENG_4_5                                                1.44.2.20.2.2
	src/sys/netinet/tcp_syncache.c
	  RELENG_4                                                        1.5.2.5
	  RELENG_4_5                                                  1.5.2.4.2.1
	- -------------------------------------------------------------------------