kern/82963: TCP MD5 disables rfc1323 options on passive connections
Noritoshi Demizu
demizu at dd.iij4u.or.jp
Mon Jul 4 05:20:19 GMT 2005
>Number: 82963
>Category: kern
>Synopsis: TCP MD5 disables rfc1323 options on passive connections
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 04 05:20:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Noritoshi Demizu
>Release: FreeBSD 6.0 current (as of July 4, 2005)
>Organization:
>Environment:
FreeBSD kodaira4.koganei.wide.ad.jp 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Mon Jul 4 12:16:45 JST 2005 noritosi at kodaira4.koganei.wide.ad.jp:/home/src/os/FreeBSD-current/src/sys/i386/compile/GENERIC i386
>Description:
When the TCP MD5 Signature option is used on a TCP connection,
both the TCP Timestamps option and the TCP Window Scale option
are turned off.
Below is an example of such scenario.
# tcpdump -nXi lo0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
14:06:22.577329 IP 127.0.0.1.54072 > 127.0.0.1.58851: S 3668653428:3668653428(0) win 65535 <mss 16344,nop,wscale 1,nop,nop,timestamp 211371 0,opt-19:00000000000000000000000000000000,sackOK>
0x0000: 4500 0050 06bf 4000 4006 35e7 7f00 0001 E..P.. at .@.5.....
0x0010: 7f00 0001 d338 e5e3 daab 3574 0000 0000 .....8....5t....
0x0020: f002 ffff a8cd 0000 0204 3fd8 0103 0301 ..........?.....
0x0030: 0101 080a 0003 39ab 0000 0000 1312 0000 ......9.........
0x0040: 0000 0000 0000 0000 0000 0000 0000 0402 ................
14:06:22.577774 IP 127.0.0.1.58851 > 127.0.0.1.54072: S 1998295442:1998295442(0) ack 3668653429 win 65535 <mss 16344,opt-19:00000000000000000000000000000000,sackOK>
0x0000: 4500 0040 06c0 4000 4006 35f6 7f00 0001 E.. at ..@. at .5.....
0x0010: 7f00 0001 e5e3 d338 771b 9192 daab 3575 .......8w.....5u
0x0020: b012 ffff 26dc 0000 0204 3fd8 1312 0000 ....&.....?.....
0x0030: 0000 0000 0000 0000 0000 0000 0000 0402 ................
14:06:22.591606 IP 127.0.0.1.54072 > 127.0.0.1.58851: . ack 1 win 65535 <opt-19:00000000000000000000000000000000,eol>
0x0000: 4500 003c 06c1 4000 4006 35f9 7f00 0001 E..<.. at .@.5.....
0x0010: 7f00 0001 d338 e5e3 daab 3575 771b 9193 .....8....5uw...
0x0020: a010 ffff 7cbf 0000 1312 0000 0000 0000 ....|...........
0x0030: 0000 0000 0000 0000 0000 0000 ............
(snip)
This problem was reported in
http://lists.freebsd.org/pipermail/freebsd-net/2005-April/006973.html
>How-To-Repeat:
1. Prepare a FreeBSD current box. Turn on the TCP MD5 option,
the TCP Timestamps option, and the TCP Window Scale option.
2. On that box, start a server program that accepts a TCP connection.
3. Try to establish a TCP connection with the server program.
The incoming SYN should include the TCP MD5 option, the TCP
Timestamps option and the TCP Window Scale option.
4. The outgoing SYN+ACK inclues the TCP MD5 option. But it does not
include the TCP Timestamps option and the TCP Window Scale option.
>Fix:
I think the cause and the fix are as following:
At line 987 in tcp_syncache.c 1.74, sc->sc_flags is overwritten
by SCF_SIGNATURE. By this line, SCF_TIMESTAMP and SCF_WINSCALE
are turned off. I think the operator "=" should be "|=".
986: if (to->to_flags & TOF_SIGNATURE)
- 987: sc->sc_flags = SCF_SIGNATURE;
+ 987: sc->sc_flags |= SCF_SIGNATURE;
With this change, the problem does not occur in my environment.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list