Subject: kern/10107: ipfilter generated tcp resets can be invalid
To: None <gnats-bugs@gnats.netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: netbsd-bugs
Date: 05/12/2000 22:36:12
>Number:         10107
>Category:       kern
>Synopsis:       ipfilter generated tcp resets can be invalid
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 12 22:37:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     TheMan
>Release:        1.4Y (as of ~958148511 seconds since the epoch)
>Organization:
none
	
>Environment:
	
System: NetBSD ebola 1.4Y NetBSD 1.4Y (RESTON) #12: Sat May 13 00:56:12 EDT 2000 andrew@ebola:/usr/src/sys/arch/i386/compile/RESTON i386


>Description:

	i added an alias to ex0 on my machine for smtp traffic only and
	added a line to my ipf.conf to generate resets for all other
	tcp traffic to that address.  testing revealed that tcp
	connections to that address weren't being properly reset, yet
	tcpdump clearly showed the resets inbound on the client machine.
	for some reason, it only affected the alias address (the main
	ip address has a similar filter in place, yet that always
	properly reset connections) and sometimes it did work (ie, the
	reset closed the nascent connection).

>How-To-Repeat:

	(above)

>Fix:

	this patch is a little larger than the one i posted to
	current-users, since i believe the urgent pointer in the tcp
	reset packet ought to be set to zero.  i dunno what the real
	behavior is supposed to be, since i couldn't find anything
	definitive either way on it.  i have merely observed that in
	the other implementations that i've examined (via tcpdump)
	that the urgent pointer is always zero.

--- ip_fil.c-orig	Fri May 12 12:14:39 2000
+++ ip_fil.c	Sat May 13 01:35:50 2000
@@ -1028,6 +1028,7 @@
 	tcp2->th_flags = TH_RST|TH_ACK;
 	tcp2->th_win = 0;
 	tcp2->th_sum = 0;
+	tcp2->th_urp = 0;
 # ifdef	USE_INET6
 	if (fin->fin_v == 6) {
 		ip6->ip6_flow = 0;
@@ -1041,6 +1042,7 @@
 		return send_ip(m, oip, fin, hlen + sizeof(*tcp2));
 	}
 # endif
+	bzero((char *)ip, sizeof(*ip));
 	ip->ip_p = IPPROTO_TCP;
 	ip->ip_len = htons(sizeof(struct tcphdr));
 	ip->ip_src.s_addr = oip->ip_dst.s_addr;
>Release-Note:
>Audit-Trail:
>Unformatted: