NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/48452: tcp_input() doesn't always verify tcp checksum



>Number:         48452
>Category:       kern
>Synopsis:       tcp_input() doesn't always verify tcp checksum
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 16 17:35:00 +0000 2013
>Originator:     Valery Ushakov
>Release:        current
>Organization:
>Environment:
NetBSD felix 6.99.25 NetBSD 6.99.25 (FELIX) #8: Wed Nov  6 16:39:05 MSK 2013  
uwe@spotty:/home/uwe/work/netbsd/cvs/src/sys/arch/landisk/compile/FELIX landisk 
>Description:
A TCP SYN segment with invalid TCP checksum to a destination port that has no 
listening PCB causes an RST to be generated.  The checksum is not verified.  
From a quick look it seems that it was broken in tcp_input.c revision 1.103

date: 2000-02-12 20:19:34 +0300;  author: thorpej;  state: Exp;  lines: +92 -67\
;
In the tcp_input() path:
- Filter out multicast destinations explicitly for every incoming packet,
  not just SYNs.  Previously, non-SYN multicast destination would be
  filtered out as a side effect of PCB lookup.  Remove now redundant
  similar checks in the dropwithreset case and in syn_cache_add().
- Defer the TCP checksum until we know that we want to process the
  packet (i.e. have a non-CLOSED connection or a listen socket).

>How-To-Repeat:
Use raw socket to send manually created TCP SYN datagram with bad checksum to a 
port that has no listener.  Observe that RST is sent in reply and "discarded 
for bad checksum" tcp counter in netstat -s is not incremented.

>Fix:



Home | Main Index | Thread Index | Old Index