From owner-svn-src-all@freebsd.org Mon Sep 30 16:19:07 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 03A6712BECB; Mon, 30 Sep 2019 16:19:07 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from drew.franken.de (mail-n.franken.de [193.175.24.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.franken.de", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46hnf24lxpz47lh; Mon, 30 Sep 2019 16:19:06 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from [10.0.1.118] (unknown [212.201.121.94]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTPSA id D8CD0721E280D; Mon, 30 Sep 2019 18:19:02 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: svn commit: r352868 - in head/sys/netinet: . tcp_stacks From: Michael Tuexen In-Reply-To: <20190930142155.GC38096@zxy.spb.ru> Date: Mon, 30 Sep 2019 18:19:02 +0200 Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <04D392FE-C3CC-4433-90F7-B19600304171@freebsd.org> References: <201909291045.x8TAjD6J066797@repo.freebsd.org> <20190930142155.GC38096@zxy.spb.ru> To: Slawa Olhovchenkov X-Mailer: Apple Mail (2.3445.104.11) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail-n.franken.de X-Rspamd-Queue-Id: 46hnf24lxpz47lh X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-1.95 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.95)[-0.952,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; ASN(0.00)[asn:680, ipnet:193.174.0.0/15, country:DE] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Sep 2019 16:19:07 -0000 > On 30. Sep 2019, at 16:21, Slawa Olhovchenkov wrote: > > On Sun, Sep 29, 2019 at 10:45:13AM +0000, Michael Tuexen wrote: > >> Author: tuexen >> Date: Sun Sep 29 10:45:13 2019 >> New Revision: 352868 >> URL: https://svnweb.freebsd.org/changeset/base/352868 >> >> Log: >> RFC 7112 requires a host to put the complete IP header chain >> including the TCP header in the first IP packet. >> Enforce this in tcp_output(). In addition make sure that at least >> one byte payload fits in the TCP segement to allow making progress. >> Without this check, a kernel with INVARIANTS will panic. >> This issue was found by running an instance of syzkaller. > > How to posible this? > Host required to handle packets up to 576 bytes, how to IP and TCP > options can exhaust this size? You are thinking about IPv4. There you have small limits. But in the IPv6 case, you can have header chains longer than, for example, 1500 bytes. And you can trigger these using the socket API. That is how syzkaller found this issue. Best regards Michael