kern/53479: NPF: wrong checksum alignment

[max%m00nbsd.net@localhost]

>Number:         53479
>Category:       kern
>Synopsis:       NPF: wrong checksum alignment
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 29 14:30:00 +0000 2018
>Originator:     Maxime Villard
>Release:        -current, -8, -7 (probably)
>Organization:
TNF
>Environment:
amd64, i386, whatever
>Description:
As explained here:

	http://mail-index.netbsd.org/tech-net/2018/04/07/msg006777.html
	http://mail-index.netbsd.org/tech-net/2018/04/08/msg006785.html

There is a bug when computing the TCP checksum of a received packet when
max-mss clamping was active.

The problem is that NPF expects the MSS option to be on a 16bit boundary,
while the spec (RFC793) specifies that "An option may begin on any octet
boundary".

The call path is: npf_normalize() -> npf_fixup16_cksum().

Such packets are probably not seen a lot in the wild, however.
>How-To-Repeat:
I had tested by hand-crafting the packets.
>Fix:
When the MSS is not on a 16bit boundary, we need to call npf_fixup16_cksum
twice on two consecutive 16bit areas, the MSS being exactly in the middle.

	0      8           16          24    32
	+------+-----------+-----------+------+
	| data | MSS (low) | MSS(high) | data |
	+------+-----------+-----------+------+
	^                  ^
	first call         second call

And merge the results.

But given how NPF is written it looks like it is a headache to do just
that.