https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219991
Bug ID: 219991
Summary: [PATCH] TCP process bogus packets with too large ACK
Product: Base System
Version: 10.3-STABLE
Hardware: Any
OS: Any
Status: New
Keywords: patch
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: zub...@advancedhosters.com
Keywords: patch
Created attachment 183483
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=183483&action=edit
patch sys/netinet/tcp_input.c - check incoming ACK number against snd_max
Some DPI send bogus TCP packets with wrong SEQ/ACK numbers.
TCP reply by zero packet with last valid SEQ/ACK - this can cause zero-packet
exchange loop (IP of FreeBSD server is 88.208.9.79):
10:44:05.500062 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [S], seq
870523557, win 65535, options [mss 1460,sackOK,TS val 4441706 ecr 0,nop,wscale
6], length 0
10:44:05.500079 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [S.], seq
3850309907, ack 870523558, win 8192, options [mss 1460,nop,wscale 6,sackOK,TS
val 908986662 ecr 4441706], length 0
10:44:05.576661 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850309908, win 1369, options [nop,nop,TS val 4441714 ecr 908986662], length 0
10:44:05.578406 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [R], seq
2787304243, win 1369, length 0
10:44:05.583003 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [R.], seq 0,
ack 3850312661, win 0, length 0
10:44:05.584581 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850311208, win 1414, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.584587 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986746 ecr 4441714], length 0
10:44:05.585403 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312508, win 1460, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.585408 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986747 ecr 4441714], length 0
10:44:05.585412 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.585416 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986747 ecr 4441714], length 0
10:44:05.589039 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [F.], seq
870524447, ack 3850312660, win 1500, options [nop,nop,TS val 4441715 ecr
908986662], length 0
10:44:05.589066 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986751 ecr 4441714], length 0
10:44:05.664713 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441723 ecr 908986662], length 0
10:44:05.664735 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986826 ecr 4441714], length 0
10:44:05.664738 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441723 ecr 908986662], length 0
10:44:05.664743 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986826 ecr 4441714], length 0
Note that there were no packets with data and remote side send ACKs for
3850312660, while initial ACK is 3850309907.
My proposal is to check incoming ACKs and drop packets which exceed valid value
(th->snd_max)
Some packets (RST?) have zero ACK - they don't have to be dropped.
Patch is tested on 10.3.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
