Problem Description:
When a challenge ACK is to be sent tcp_respond() constructs and
sends the challenge ACK and consumes the mbuf that is passed in.
When no challenge ACK should be sent the function returns and leaks
the mbuf.
Impact:
If an attacker is either on path with an established TCP
connection, or can themselves establish a TCP connection, to an
affected FreeBSD machine, they can easily craft and send packets
which meet the challenge ACK criteria and cause the FreeBSD host
to leak an mbuf for each crafted packet in excess of the configured
rate limit settings i.e. with default settings, crafted packets
in excess of the first 5 sent within a 1s period will leak an mbuf.
Technically, off-path attackers can also exploit this problem by
guessing the IP addresses, TCP port numbers and in some cases the
sequence numbers of established connections and spoofing packets
towards a FreeBSD machine, but this is harder to do effectively.