Bug 15071

Summary:

tcp fails to handle TIME_WAIT special case

Product:

Base System

Reporter:

Jun-ichiro itojun Hagino <itojun>

Component:

kern

Assignee:

freebsd-bugs (Nobody) <bugs>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

green

Priority:

Normal

Version:

Unspecified

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none
file.diff	none

Description Jun-ichiro itojun Hagino 1999-11-24 09:10:00 UTC

	in tcp_input() (sys/netinet/tcp_input.c) there are two places
	"goto findpcb" is used.  They are for aceepting new connction
	while tcb is in TIME_WAIT state.

	However, because FreeBSD tcp_input strips off mbuf until
	tcp data segment at the following line, "goto findpcb" attempt
	will never success.
  
	/*
	 * Drop TCP, IP headers and TCP options.
	 */
	m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
	m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);

Fix: There are two possible fixes to this.  I prefer the latter one
	as we will need to introduce the latter one anyways for IPv6 support.
	
	Short term fix will be to compute m_data and m_len back to the
	original:

Long-term (and more clean) fix would be to avoid modifying m_len and
	m_data.
How-To-Repeat: 
	Due to this we KAME team encountered panic in IPsec policy management
	engine.  I dunno if there's any problem with normal FreeBSD.  Serious
	cracker may try to hand-cruft tcp data segment that contains wrong
	tcp header (to be uesd when "goto findpcb" is kicked).

Comment 1 itojun freebsd_committer

1999-11-24 09:12:12 UTC

State Changed
From-To: open->closed

sorry this was kame-only problem, not freebsd.