Page MenuHomeFreeBSD
Differential D21665

Don't send TCP segments when the IP header chain and the TCP header doesn't fit in a packet
ClosedPublic
Actions

Authored by tuexen on Sep 15 2019, 3:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jan 23, 5:51 AM
Unknown Object (File)
Thu, Jan 9, 12:40 AM
Unknown Object (File)
Dec 7 2024, 7:11 PM
Unknown Object (File)
Dec 2 2024, 3:35 AM
Unknown Object (File)
Nov 29 2024, 2:28 PM
Unknown Object (File)
Nov 24 2024, 10:55 PM
Unknown Object (File)
Nov 24 2024, 8:59 PM
Unknown Object (File)
Nov 24 2024, 7:17 AM
View All Files
Subscribers
imp

Details

Reviewers
rrs
thj
jtl
markj
rscheff
Group Reviewers
transport
Commits
rS353040: MFS r352673:
rS353035: MFC r352868:
rS352868: RFC 7112 requires a host to put the complete IP header chain
Summary

RFC 7112 requires a host to put the complete IP header chain including the TCP header in the first IP packet. Enforce this in tcp_output(). Without this check, a kernel with INVARIANTS will panic.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:

r.c9 KBDownload

Here is the issue: panic: {tcp_output:LINE}: len < 0.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tuexen created this revision.Sep 15 2019, 3:36 PM
Herald added a reviewer: transport. · View Herald TranscriptSep 15 2019, 3:36 PM
Herald added a subscriber: imp. · View Herald Transcript
Harbormaster completed remote builds in B26507: Diff 62126.Sep 15 2019, 3:36 PM
rscheff added inline comments.Sep 26 2019, 2:18 PM
sys/netinet/tcp_output.c
944 ↗(On Diff #62126)

From transport-call: make this a >= to have at least 1 data byte per segment, to make forward progress. Otherwise, we may continously send packet with just ip+tcp headers forever.

tuexen updated this revision to Diff 62699.Sep 29 2019, 10:41 AM

Allow at least one byte of payload to ensure that making progress is possible. This was suggested in the transport telco.

Harbormaster completed remote builds in B26756: Diff 62699.Sep 29 2019, 10:41 AM
tuexen added inline comments.Sep 29 2019, 10:41 AM
sys/netinet/tcp_output.c
944 ↗(On Diff #62126)

Addressed by the last change. The same change is also applied to RACK and BBR.

tuexen marked an inline comment as done.Sep 29 2019, 10:42 AM
This revision was not accepted when it landed; it landed in state Needs Review.Sep 29 2019, 10:45 AM
Closed by commit rS352868: RFC 7112 requires a host to put the complete IP header chain (authored by tuexen). · Explain Why
This revision was automatically updated to reflect the committed changes.
tuexen added a commit: rS352868: RFC 7112 requires a host to put the complete IP header chain.
tuexen added a commit: rS353035: MFC r352868:.Oct 3 2019, 10:44 AM
tuexen added a commit: rS353040: MFS r352673:.Oct 3 2019, 12:27 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
14 lines
tcp_stacks/
6 lines
6 lines

Diff 62700

View Options

head/sys/netinet/tcp_output.c

Loading...
View Options

head/sys/netinet/tcp_stacks/bbr.c

Loading...
View Options

head/sys/netinet/tcp_stacks/rack.c

Loading...