[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-08:02.tcp
FreeBSD Errata Notices
errata-notices at freebsd.org
Thu Jun 19 06:54:38 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-EN-08:02.tcp Errata Notice
The FreeBSD Project
Topic: TCP options padding
Category: core
Module: sys_netinet
Announced: 2008-06-19
Credits: Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann
Affects: 7.0-RELEASE
Corrected: 2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE)
2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. TCP packets can contain "TCP options" which allow for
enhancements to basic TCP functionality; depending on the length of
these options, it may be necessary for padding to be added.
II. Problem Description
Under certain conditions, TCP options are not correctly padded.
III. Impact
A small number of firewalls have been reported to block incorrectly
padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the
result that an attempt to open a TCP connection to or from an affected
host across such a firewall will fail.
IV. Workaround
Disabling RFC 1323 extensions and selective acknowledgments will
eliminate the need for TCP option padding and restore interoperability.
Note that disabling these features may cause a reduction in performance
on high latency networks and networks that experience frequent packet
loss.
To disable these features, add the following lines to /etc/sysctl.conf:
net.inet.tcp.rfc1323=0
net.inet.tcp.sack.enable=0
And then run "/etc/rc.d/sysctl restart" to make the change effective.
V. Solution
Perform one of the following:
1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security
branch dated after the correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 7.0 systems:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/netinet/tcp.h 1.40.2.1
src/sys/netinet/tcp_output.c 1.141.2.6
RELENG_7_0
src/UPDATING 1.507.2.3.2.6
src/sys/conf/newvers.sh 1.72.2.5.2.6
src/sys/netinet/tcp.h 1.40.4.1
src/sys/netinet/tcp_output.c 1.141.2.3.2.1
- -------------------------------------------------------------------------
VII. References
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/
TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3
=UlPD
-----END PGP SIGNATURE-----
More information about the freebsd-announce
mailing list