[Bug 219991] [PATCH] TCP process bogus packets with too large ACK

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Jun 14 17:34:13 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219991

            Bug ID: 219991
           Summary: [PATCH] TCP process bogus packets with too large ACK
           Product: Base System
           Version: 10.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: zuborg at advancedhosters.com
          Keywords: patch

Created attachment 183483
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=183483&action=edit
patch sys/netinet/tcp_input.c - check incoming ACK number against snd_max

Some DPI send bogus TCP packets with wrong SEQ/ACK numbers.
TCP reply by zero packet with last valid SEQ/ACK - this can cause zero-packet
exchange loop (IP of FreeBSD server is 88.208.9.79):

10:44:05.500062 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [S], seq
870523557, win 65535, options [mss 1460,sackOK,TS val 4441706 ecr 0,nop,wscale
6], length 0
10:44:05.500079 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [S.], seq
3850309907, ack 870523558, win 8192, options [mss 1460,nop,wscale 6,sackOK,TS
val 908986662 ecr 4441706], length 0
10:44:05.576661 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850309908, win 1369, options [nop,nop,TS val 4441714 ecr 908986662], length 0
10:44:05.578406 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [R], seq
2787304243, win 1369, length 0
10:44:05.583003 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [R.], seq 0,
ack 3850312661, win 0, length 0
10:44:05.584581 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850311208, win 1414, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.584587 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986746 ecr 4441714], length 0
10:44:05.585403 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312508, win 1460, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.585408 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986747 ecr 4441714], length 0
10:44:05.585412 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441715 ecr 908986662], length 0
10:44:05.585416 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986747 ecr 4441714], length 0
10:44:05.589039 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [F.], seq
870524447, ack 3850312660, win 1500, options [nop,nop,TS val 4441715 ecr
908986662], length 0
10:44:05.589066 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986751 ecr 4441714], length 0
10:44:05.664713 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441723 ecr 908986662], length 0
10:44:05.664735 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986826 ecr 4441714], length 0
10:44:05.664738 IP 31.166.232.167.45174 > 88.208.9.79.80: Flags [.], ack
3850312660, win 1500, options [nop,nop,TS val 4441723 ecr 908986662], length 0
10:44:05.664743 IP 88.208.9.79.80 > 31.166.232.167.45174: Flags [.], ack
870523558, win 135, options [nop,nop,TS val 908986826 ecr 4441714], length 0


Note that there were no packets with data and remote side send ACKs for
3850312660, while initial ACK is 3850309907.

My proposal is to check incoming ACKs and drop packets which exceed valid value
(th->snd_max)
Some packets (RST?) have zero ACK - they don't have to be dropped.

Patch is tested on 10.3.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list