[Bug 264269] [NEW] netfilter: In TCP connection tracking, some valid packets are marked as INVALID

Wed, 03 Sep 2008 02:40:42 -0700 

Public bug reported:

Binary package hint: linux-image-2.6.24-19-generic

Ubuntu release:
Description:    Ubuntu 8.04.1
Release:        8.04

Package version:
linux-image-2.6.24-19-generic:
  Installato: 2.6.24-19.41
  Candidato: 2.6.24-19.41
  Tabella versione:
 *** 2.6.24-19.41 0
        500 http://it.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status

Sometimes, when a packet that contains a sack option is recevied it is marked 
as invalid and is dropped. I experimented this connecting to a server under 
heavy network traffic, with ufw activated. If I try for example to upload via 
sftp a file to the server the connection stalls after a few hundreds of 
kilobytes transmitted. If I add a rule for accepting invalid packets from the 
server the upload works correctly.
Below the informations I found on the netfilter mailing list on kernel.org:

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5
Commit:     84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5
Parent:     d420895efb259a78dda50f95289571faa6e10e41
Author:     Jozsef Kadlecsik <[EMAIL PROTECTED]>
AuthorDate: Mon Jun 30 12:41:30 2008 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Mon Jun 30 12:41:30 2008 -0700

    netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
    
    Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on
    the netfilter mailing list (see the thread "Weird nat/conntrack Problem
    with PASV FTP upload"). He provided tcpdump recordings which helped to
    find a long lingering bug in conntrack.
    
    In TCP connection tracking, checking the lower bound of valid ACK could
    lead to mark valid packets as INVALID because:
    
     - We have got a "higher or equal" inequality, but the test checked
       the "higher" condition only; fixed.
     - If the packet contains a SACK option, it could occur that the ACK
       value was before the left edge of our (S)ACK "window": if a previous
       packet from the other party intersected the right edge of the window
       of the receiver, we could move forward the window parameters beyond
       accepting a valid ack. Therefore in this patch we check the rightmost
       SACK edge instead of the ACK value in the lower bound of valid (S)ACK
       test.
    
    Signed-off-by: Jozsef Kadlecsik <[EMAIL PROTECTED]>
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/netfilter/nf_conntrack_proto_tcp.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c 
b/net/netfilter/nf_conntrack_proto_tcp.c
index ba94004..271cd01 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -331,12 +331,13 @@ static unsigned int get_conntrack_index(const struct 
tcphdr *tcph)
 
    I.   Upper bound for valid data:    seq <= sender.td_maxend
    II.  Lower bound for valid data:    seq + len >= sender.td_end - 
receiver.td_maxwin
-   III.        Upper bound for valid ack:      sack <= receiver.td_end
-   IV. Lower bound for valid ack:      ack >= receiver.td_end - MAXACKWINDOW
+   III.        Upper bound for valid (s)ack:   sack <= receiver.td_end
+   IV. Lower bound for valid (s)ack:   sack >= receiver.td_end - MAXACKWINDOW
 
-   where sack is the highest right edge of sack block found in the packet.
+   where sack is the highest right edge of sack block found in the packet
+   or ack in the case of packet without SACK option.
 
-   The upper bound limit for a valid ack is not ignored -
+   The upper bound limit for a valid (s)ack is not ignored -
    we doesn't have to deal with fragments.
 */
 
@@ -606,12 +607,12 @@ static bool tcp_in_window(const struct nf_conn *ct,
                 before(seq, sender->td_maxend + 1),
                 after(end, sender->td_end - receiver->td_maxwin - 1),
                 before(sack, receiver->td_end + 1),
-                after(ack, receiver->td_end - MAXACKWINDOW(sender)));
+                after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
 
        if (before(seq, sender->td_maxend + 1) &&
            after(end, sender->td_end - receiver->td_maxwin - 1) &&
            before(sack, receiver->td_end + 1) &&
-           after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
+           after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
                /*
                 * Take into account window scaling (RFC 1323).
                 */
--

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
 netfilter: In TCP connection tracking, some valid packets are marked as INVALID
https://bugs.launchpad.net/bugs/264269
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to