239799 – IP_MINTTL broken

Bug 239799 - IP_MINTTL broken

Summary: IP_MINTTL broken

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	12.0-STABLE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Andrey V. Elsukov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-12 11:36 UTC by Vincent Bernat
Modified:	2019-10-01 04:28 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: mfc-stable12+ koobs: mfc-stable11+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Bernat 2019-08-12 11:36:15 UTC

Hey!

Use of IP_MINTTL to ensure a minimum TTL on input TCP packets is broken. When this option is enabled for a socket, all incoming packets are dropped. When it comes to compare the TTL in `tcp_input.c`, the reported TTL is 0:

```c
	if (inp->inp_ip_minttl != 0) {
#ifdef INET6
		if (isipv6) {
			if (inp->inp_ip_minttl > ip6->ip6_hlim)
				goto dropunlock;
		} else
#endif
		if (inp->inp_ip_minttl > ip->ip_ttl)
			goto dropunlock;
	}
```

A few lines earlier, we have:

```c
struct ipovly *ipov = (struct ipovly *)ip;

/*
 * Checksum extended TCP header and data.
 */
len = off0 + tlen;
bzero(ipov->ih_x1, sizeof(ipov->ih_x1));
ipov->ih_len = htons(tlen);
th->th_sum = in_cksum(m, len);
/* Reset length for SDT probes. */
ip->ip_len = htons(len);
/* Reset TOS bits */
ip->ip_tos = iptos;
/* Re-initialization for later version check */
ip->ip_v = IPVERSION;
ip->ip_hl = off0 >> 2;
```

`ip->ip_ttl` also needs to be restored after this code.

Comment 1 commit-hook freebsd_committer

2019-08-13 12:48:34 UTC

A commit references this bug:

Author: ae
Date: Tue Aug 13 12:47:54 UTC 2019
New revision: 350974
URL: https://svnweb.freebsd.org/changeset/base/350974

Log:
  Save ip_ttl value and restore it after checksum calculation.

  Since ipvoly is used for checksum calculation, part of original IP
  header is zeroed. This part includes ip_ttl field, that can be used
  later in IP_MINTTL socket option handling.

  PR:		239799
  MFC after:	1 week

Changes:
  head/sys/netinet/tcp_input.c

Comment 2 commit-hook freebsd_committer

2019-08-23 10:12:04 UTC

A commit references this bug:

Author: ae
Date: Fri Aug 23 10:11:11 UTC 2019
New revision: 351419
URL: https://svnweb.freebsd.org/changeset/base/351419

Log:
  MFC r350974:
    Since ipvoly is used for checksum calculation, part of original IP
    header is zeroed. This part includes ip_ttl field, that can be used
    later in IP_MINTTL socket option handling.

    PR:		239799

Changes:
_U  stable/12/
  stable/12/sys/netinet/tcp_input.c

Comment 3 commit-hook freebsd_committer

2019-08-23 10:13:06 UTC

A commit references this bug:

Author: ae
Date: Fri Aug 23 10:12:42 UTC 2019
New revision: 351420
URL: https://svnweb.freebsd.org/changeset/base/351420

Log:
  MFC r350974:
    Save ip_ttl value and restore it after checksum calculation.

    Since ipvoly is used for checksum calculation, part of original IP
    header is zeroed. This part includes ip_ttl field, that can be used
    later in IP_MINTTL socket option handling.

    PR:           239799

Changes:
_U  stable/11/
  stable/11/sys/netinet/tcp_input.c

Comment 4 Andrey V. Elsukov freebsd_committer

2019-08-23 10:13:47 UTC

Fixed in head/, stable/12 and stable/11. Thanks!