[Bug 287229] TCP reassembly issue in FreeBSD 14.1
Date: Mon, 02 Jun 2025 07:46:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287229
Bug ID: 287229
Summary: TCP reassembly issue in FreeBSD 14.1
Product: Base System
Version: 14.2-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: lucas.aubard@irisa.fr
Created attachment 260886
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=260886&action=edit
PCAP files
Dear FreeBSD development team,
I am Lucas Aubard. I am a PhD student in an Inria lab in Rennes, France.
This PhD is supervised by Gilles Guette (IMT Atlantique), Pierre Chifflier
(ANSSI) and Johan Mazel (ANSSI).
During our research work, we analyzed FreeBSD 14.1 when processing overlapping
IPv4 and IPv6 data fragments.
Our platform exhaustively generates and tests overlapping and non-overlapping
test cases with pair (12 test cases) and triplet (409 test cases) chunks. Every
case is tested for several testing scenarii, i.e., the context surrounding the
original test case chunks.
For a given testing scenario, we noticed that FreeBSD does not reassemble at
least one test case consistently across the multiple testing runs.
For IPv4 (resp. IPv6), it eventually impacts 25 (resp. 31) of the 42
implemented testing scenarii. Here are the description of some impacted
scenarii:
- peoef: an ending contiguous extra chunk follows (timewisely) the overlapping
test case chunks.
- peoep: an ending contiguous extra chunk precedes (timewisely) the overlapping
test case chunks.
- peosfef: a starting and an ending contiguous extra chunks follow (timewisely)
the overlapping test case chunks.
- peospep: a starting and an ending contiguous extra chunks precede
(timewisely) the overlapping test case chunks.
- peoepsf: an ending contiguous extra chunk precedes (timewisely) and a
starting contiguous extra chunk follows (timewisely) the overlapping test case
chunks.
- peosf: a starting contiguous extra chunk follows (timewisely) the overlapping
test case chunks.
+ af: all the rightmost finishing fragments have the More Fragment bit
unset.
+ ns: only the newest starting fragment has the More Fragment bit unset.
+ of: only the oldest finishing fragment has the More Fragment bit unset.
- peosp: a starting contiguous extra chunk precedes (timewisely) the
overlapping test case chunks.
+ as: all the rightmost starting fragments have the More Fragment bit
unset.
+ nf: only the newest finishing fragment has the More Fragment bit unset.
+ oms: the oldest and mid starting fragment have the More Fragment bit
unset.
- pep: no extra chunks.
+ os: only the oldest starting fragment has the More Fragment bit unset.
According to what we have observed, when a test case inconsistency occurs: at
run x, FreeBSD reassembles favoring some overlapping data but at run y, it
ignores the test case chunks or it favors other overlapping data.
While the fewer parallelizations, the fewer inconsistencies, we may observe
some residual inconsistencies without parallelization.
Attached are the pcap files and plots for some (random) overlap test cases
illustrating the problem. Note that we test FreeBSD 14.1 IPv4 (resp. IPv6)
fragment reassemblies with ICMP (resp. ICMPv6) Echo service and 192.168.56.37
(resp. fd00:0:0:56::37) are the FreeBSD host IP address in the PCAP files.
While this non-deterministic behavior cannot be classified as a bug, we believe
that this behavior is not intended. Can your confirm this?
Do not hesitate if you have any question.
Best regards,
Lucas Aubard.
--
You are receiving this mail because:
You are the assignee for the bug.