On Mon, Oct 22, 2018 at 9:40 PM Jim Reid <jim@rfc1035.com> wrote:
The vulnerabilities are apparently in the TCP/IP stack. How is this possible? Rock-solid public domain TCP/IP code has been around since BSD4.4 20+ years ago. Or even earlier. Why would someone shun that, write their own code and do it badly?
Sometimes the publicly available TCP handling code might seem to be too slow and bloated for an embedded software. Embedded developers are used to get rid of the security checks they believe are unnecessary, because it reduces both computational time and memory footprint. I actually have a device almost at my disposal which implements its own TCP driver in the most effective and braindead way. I'm going to check against my NDA if I can share the details, but, spoiler, you'll be shocked of what it does with plain old poor TCP. | Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58