Date: Mon, 02 Jun 2025 07:46:59 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 287229] TCP reassembly issue in FreeBSD 14.1 Message-ID: <bug-287229-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287229 Bug ID: 287229 Summary: TCP reassembly issue in FreeBSD 14.1 Product: Base System Version: 14.2-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lucas.aubard@irisa.fr Created attachment 260886 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=260886&action=edit PCAP files Dear FreeBSD development team, I am Lucas Aubard. I am a PhD student in an Inria lab in Rennes, France. This PhD is supervised by Gilles Guette (IMT Atlantique), Pierre Chifflier (ANSSI) and Johan Mazel (ANSSI). During our research work, we analyzed FreeBSD 14.1 when processing overlapping IPv4 and IPv6 data fragments. Our platform exhaustively generates and tests overlapping and non-overlapping test cases with pair (12 test cases) and triplet (409 test cases) chunks. Every case is tested for several testing scenarii, i.e., the context surrounding the original test case chunks. For a given testing scenario, we noticed that FreeBSD does not reassemble at least one test case consistently across the multiple testing runs. For IPv4 (resp. IPv6), it eventually impacts 25 (resp. 31) of the 42 implemented testing scenarii. Here are the description of some impacted scenarii: - peoef: an ending contiguous extra chunk follows (timewisely) the overlapping test case chunks. - peoep: an ending contiguous extra chunk precedes (timewisely) the overlapping test case chunks. - peosfef: a starting and an ending contiguous extra chunks follow (timewisely) the overlapping test case chunks. - peospep: a starting and an ending contiguous extra chunks precede (timewisely) the overlapping test case chunks. - peoepsf: an ending contiguous extra chunk precedes (timewisely) and a starting contiguous extra chunk follows (timewisely) the overlapping test case chunks. - peosf: a starting contiguous extra chunk follows (timewisely) the overlapping test case chunks. + af: all the rightmost finishing fragments have the More Fragment bit unset. + ns: only the newest starting fragment has the More Fragment bit unset. + of: only the oldest finishing fragment has the More Fragment bit unset. - peosp: a starting contiguous extra chunk precedes (timewisely) the overlapping test case chunks. + as: all the rightmost starting fragments have the More Fragment bit unset. + nf: only the newest finishing fragment has the More Fragment bit unset. + oms: the oldest and mid starting fragment have the More Fragment bit unset. - pep: no extra chunks. + os: only the oldest starting fragment has the More Fragment bit unset. According to what we have observed, when a test case inconsistency occurs: at run x, FreeBSD reassembles favoring some overlapping data but at run y, it ignores the test case chunks or it favors other overlapping data. While the fewer parallelizations, the fewer inconsistencies, we may observe some residual inconsistencies without parallelization. Attached are the pcap files and plots for some (random) overlap test cases illustrating the problem. Note that we test FreeBSD 14.1 IPv4 (resp. IPv6) fragment reassemblies with ICMP (resp. ICMPv6) Echo service and 192.168.56.37 (resp. fd00:0:0:56::37) are the FreeBSD host IP address in the PCAP files. While this non-deterministic behavior cannot be classified as a bug, we believe that this behavior is not intended. Can your confirm this? Do not hesitate if you have any question. Best regards, Lucas Aubard. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-287229-227>