Page MenuHomeFreeBSD

Don't send TCP segments when the IP header chain and the TCP header doesn't fit in a packet
ClosedPublic

Authored by tuexen on Sep 15 2019, 3:36 PM.
Tags
None
Referenced Files
F103225135: D21665.id62699.diff
Fri, Nov 22, 10:03 AM
Unknown Object (File)
Thu, Nov 21, 8:37 AM
Unknown Object (File)
Wed, Nov 20, 6:39 AM
Unknown Object (File)
Wed, Nov 20, 6:39 AM
Unknown Object (File)
Tue, Nov 19, 11:28 PM
Unknown Object (File)
Thu, Nov 7, 5:54 PM
Unknown Object (File)
Wed, Nov 6, 5:19 PM
Unknown Object (File)
Tue, Nov 5, 11:40 AM
Subscribers

Details

Summary

RFC 7112 requires a host to put the complete IP header chain including the TCP header in the first IP packet. Enforce this in tcp_output(). Without this check, a kernel with INVARIANTS will panic.

This issue was found by running an instance of syzkaller.

Test Plan

Test with the reproducer generated by syzkaller:


Here is the issue: panic: {tcp_output:LINE}: len < 0.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 26756

Event Timeline

sys/netinet/tcp_output.c
944

From transport-call: make this a >= to have at least 1 data byte per segment, to make forward progress. Otherwise, we may continously send packet with just ip+tcp headers forever.

Allow at least one byte of payload to ensure that making progress is possible. This was suggested in the transport telco.

sys/netinet/tcp_output.c
944

Addressed by the last change. The same change is also applied to RACK and BBR.

This revision was not accepted when it landed; it landed in state Needs Review.Sep 29 2019, 10:45 AM
This revision was automatically updated to reflect the committed changes.