Vulnerability Note VU#395670
FreeBSD fails to limit number of TCP segments held in reassembly queue
FreeBSD fails to limit the number of TCP segments held in a reassembly queue which could allow an attacker to exhaust all available memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
The Transmission Control Protocol (TCP) is part of the TCP/IP protocol suite and designed to provide reliable and connection-oriented service. In order to provide reliable service, TCP is designed to process packets that are delivered out of order so that these packets can later be re-assembled to create the entire TCP segment. There is a vulnerability in the way FreeBSD handles out-of-sequence TCP segments. When network packets making up a TCP segment are received out-of-sequence, these packets are held in a reassembly queue on the destination system so that they can be re-ordered and re-assembled. By sending a large number of out-of-sequence TCP packets, an unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
An unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||-||04 Mar 2004|
This vulnerability was reported by
This document was written by Damon Morda.
18 Feb 2004
Date First Published:
04 Mar 2004
Date Last Updated:
04 Mar 2004
If you have feedback, comments, or additional information about this vulnerability, please send us email.