From nobody Mon Jun 2 07:46:59 2025 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b9mBq2jsBz5xgSM for ; Mon, 02 Jun 2025 07:46:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b9mBq1yNdz4Ply for ; Mon, 02 Jun 2025 07:46:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748850419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aAHwDAVX+xuD4dfasotZ/AqoMp0aZNY1Yx9xAg4JmKw=; b=WZjbcJSj42dz9Avf7tc0YGT6BBOIn8GuDIHHuKXA8cNP6Ruj9IhZbGumg+CnYpyI7pQUmi rwLfYFg2U6MinROnACpYtBaafijRkyUOD1tWX3Za/c1zsk2dmAT/a8dena4yiXIdSZBS5w dMVBXb2+FFRgGaL58hh3B8O0FTVHEqtWd3WFQLAC9Eicc0UKkjfNJxekcdY9cMvN1EY8hv LUuNaX//nQ/nK8Ya6lcKMcrkPmpYBhffwvJJKz4oWkI98pPA3IggImZQxxkLhVIzeU42B/ DMQwK3MEMhfxD+pCBviLDqYvHaGfHI7Gw/PgPR+bxLYVMRDFs5D217y3MfAxdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748850419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aAHwDAVX+xuD4dfasotZ/AqoMp0aZNY1Yx9xAg4JmKw=; b=NegmRPzYVU625Fc6SisgblXvtcdayvfGuT28bc0+ZrA6Zcds5rScF+Lj5N3bvx2NSH5wRq vMHiqxC5P+LuVjvTeqMdwfcx9D3+EEI1lrCUmXIbyUpzwH6LH2HLdTXpLKmVkgXFDdZQ1b /dzaLFjZfeONTCYrat1utbB9ZvZ91uEIEjRR5gSjuyjaDOFJ0nD6kKabhQGa4T3dA50EmF cEwfv4s7iqfJK5Lk6+/oLFt/wiutGrhfsPKwKRN7fvPAp4967kGYuS0wQ6zjur1W8BEr65 pBAhMV+cDIb7gkjN11KJXwR521xPM0U4hhOc/zQux/NnnwfU8pis+FeJZOHIeA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1748850419; a=rsa-sha256; cv=none; b=nV1n7jyUo0J79hneCGpXJ0vevg4Hkd7t1AeC1JoI/uMqW8qlFEfz+GQjSkJnT/w2VzMtbM MZAbRFsX+JmJ6uS20tofBF/vIWbhVcosx/kQHvneK3e/ox3n74963Jzmz/PlZqvCtZxoa8 xrbIGGZyyFOh5XgngMpeBzIGeTPFPbZSdSH1aw9Jzn/gfcBF6McD/6VC4cOugs4OisvDxi WaugKmYIwev/yzbFVI0glGKmLQ2YfvCbuK2PmLW/nP59DdqJSvGbYoy4heYtcrfUuReA7M goGj/JFWW9PfjtJzTyAhXd3QvPPOxbiDJNzYe5luJ9kVGq8GPv1K+3PpfR1Ulg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b9mBq0x1mz10m4 for ; Mon, 02 Jun 2025 07:46:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 5527kwjm016351 for ; Mon, 2 Jun 2025 07:46:58 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 5527kw4h016350 for bugs@FreeBSD.org; Mon, 2 Jun 2025 07:46:58 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 287229] TCP reassembly issue in FreeBSD 14.1 Date: Mon, 02 Jun 2025 07:46:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: lucas.aubard@irisa.fr X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287229 Bug ID: 287229 Summary: TCP reassembly issue in FreeBSD 14.1 Product: Base System Version: 14.2-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lucas.aubard@irisa.fr Created attachment 260886 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D260886&action= =3Dedit PCAP files Dear FreeBSD development team,=20 I am Lucas Aubard. I am a PhD student in an Inria lab in Rennes, France.=20 This PhD is supervised by Gilles Guette (IMT Atlantique), Pierre Chifflier (ANSSI) and Johan Mazel (ANSSI). During our research work, we analyzed FreeBSD 14.1 when processing overlapp= ing IPv4 and IPv6 data fragments. Our platform exhaustively generates and tests overlapping and non-overlappi= ng test cases with pair (12 test cases) and triplet (409 test cases) chunks. E= very case is tested for several testing scenarii, i.e., the context surrounding = the original test case chunks.=20 For a given testing scenario, we noticed that FreeBSD does not reassemble at least one test case consistently across the multiple testing runs.=20 For IPv4 (resp. IPv6), it eventually impacts 25 (resp. 31) of the 42 implemented testing scenarii. Here are the description of some impacted scenarii:=20 - peoef: an ending contiguous extra chunk follows (timewisely) the overlapp= ing test case chunks. - peoep: an ending contiguous extra chunk precedes (timewisely) the overlap= ping test case chunks. - peosfef: a starting and an ending contiguous extra chunks follow (timewis= ely) the overlapping test case chunks. - peospep: a starting and an ending contiguous extra chunks precede (timewisely) the overlapping test case chunks. - peoepsf: an ending contiguous extra chunk precedes (timewisely) and a starting contiguous extra chunk follows (timewisely) the overlapping test c= ase chunks. - peosf: a starting contiguous extra chunk follows (timewisely) the overlap= ping test case chunks. + af: all the rightmost finishing fragments have the More Fragment bit unset. + ns: only the newest starting fragment has the More Fragment bit unset. + of: only the oldest finishing fragment has the More Fragment bit unse= t. - peosp: a starting contiguous extra chunk precedes (timewisely) the overlapping test case chunks. + as: all the rightmost starting fragments have the More Fragment bit unset. + nf: only the newest finishing fragment has the More Fragment bit unse= t. + oms: the oldest and mid starting fragment have the More Fragment bit unset.=20 - pep: no extra chunks. + os: only the oldest starting fragment has the More Fragment bit unset. According to what we have observed, when a test case inconsistency occurs: = at run x, FreeBSD reassembles favoring some overlapping data but at run y, it ignores the test case chunks or it favors other overlapping data.=20 While the fewer parallelizations, the fewer inconsistencies, we may observe some residual inconsistencies without parallelization. Attached are the pcap files and plots for some (random) overlap test cases illustrating the problem. Note that we test FreeBSD 14.1 IPv4 (resp. IPv6) fragment reassemblies with ICMP (resp. ICMPv6) Echo service and 192.168.56.= 37 (resp. fd00:0:0:56::37) are the FreeBSD host IP address in the PCAP files. While this non-deterministic behavior cannot be classified as a bug, we bel= ieve that this behavior is not intended. Can your confirm this? Do not hesitate if you have any question. Best regards, Lucas Aubard. --=20 You are receiving this mail because: You are the assignee for the bug.=