Page MenuHomeFreeBSD

Don't send TCP segments when the IP header chain and the TCP header doesn't fit in a packet
ClosedPublic

Authored by tuexen on Sep 15 2019, 3:36 PM.
Tags
None
Referenced Files
F103431450: D21665.id62699.diff
Sun, Nov 24, 10:55 PM
F103425445: D21665.id62700.diff
Sun, Nov 24, 8:59 PM
Unknown Object (File)
Sun, Nov 24, 7:17 AM
Unknown Object (File)
Fri, Nov 22, 11:17 PM
Unknown Object (File)
Fri, Nov 22, 9:43 PM
Unknown Object (File)
Fri, Nov 22, 10:03 AM
Unknown Object (File)
Thu, Nov 21, 8:37 AM
Unknown Object (File)
Wed, Nov 20, 6:39 AM
Subscribers

Details

Summary

RFC 7112 requires a host to put the complete IP header chain including the TCP header in the first IP packet. Enforce this in tcp_output(). Without this check, a kernel with INVARIANTS will panic.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:


Here is the issue: panic: {tcp_output:LINE}: len < 0.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sys/netinet/tcp_output.c
944 ↗(On Diff #62126)

From transport-call: make this a >= to have at least 1 data byte per segment, to make forward progress. Otherwise, we may continously send packet with just ip+tcp headers forever.

Allow at least one byte of payload to ensure that making progress is possible. This was suggested in the transport telco.

sys/netinet/tcp_output.c
944 ↗(On Diff #62126)

Addressed by the last change. The same change is also applied to RACK and BBR.

This revision was not accepted when it landed; it landed in state Needs Review.Sep 29 2019, 10:45 AM
This revision was automatically updated to reflect the committed changes.