Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 30 Sep 2019 18:19:02 +0200
From:      Michael Tuexen <tuexen@freebsd.org>
To:        Slawa Olhovchenkov <slw@zxy.spb.ru>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r352868 - in head/sys/netinet: . tcp_stacks
Message-ID:  <04D392FE-C3CC-4433-90F7-B19600304171@freebsd.org>
In-Reply-To: <20190930142155.GC38096@zxy.spb.ru>
References:  <201909291045.x8TAjD6J066797@repo.freebsd.org> <20190930142155.GC38096@zxy.spb.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
> On 30. Sep 2019, at 16:21, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote:
> 
> On Sun, Sep 29, 2019 at 10:45:13AM +0000, Michael Tuexen wrote:
> 
>> Author: tuexen
>> Date: Sun Sep 29 10:45:13 2019
>> New Revision: 352868
>> URL: https://svnweb.freebsd.org/changeset/base/352868
>> 
>> Log:
>>  RFC 7112 requires a host to put the complete IP header chain
>>  including the TCP header in the first IP packet.
>>  Enforce this in tcp_output(). In addition make sure that at least
>>  one byte payload fits in the TCP segement to allow making progress.
>>  Without this check, a kernel with INVARIANTS will panic.
>>  This issue was found by running an instance of syzkaller.
> 
> How to posible this?
> Host required to handle packets up to 576 bytes, how to IP and TCP
> options can exhaust this size?
You are thinking about IPv4. There you have small limits. But in the
IPv6 case, you can have header chains longer than, for example, 1500 bytes.
And you can trigger these using the socket API. That is how syzkaller
found this issue.

Best regards
Michael




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04D392FE-C3CC-4433-90F7-B19600304171>