From owner-freebsd-bugs Tue Jun 11 0:40:16 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D8F8737B406 for ; Tue, 11 Jun 2002 00:40:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5B7e1m41061; Tue, 11 Jun 2002 00:40:01 -0700 (PDT) (envelope-from gnats) Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 2E2CA37B409 for ; Tue, 11 Jun 2002 00:35:27 -0700 (PDT) Received: from www.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5B7ZRhG050244 for ; Tue, 11 Jun 2002 00:35:27 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.2/8.12.2/Submit) id g5B7ZQi7050243; Tue, 11 Jun 2002 00:35:26 -0700 (PDT) Message-Id: <200206110735.g5B7ZQi7050243@www.freebsd.org> Date: Tue, 11 Jun 2002 00:35:26 -0700 (PDT) From: Phil Dibowitz To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/39141: Broken PTMUD Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39141 >Category: kern >Synopsis: Broken PTMUD >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 11 00:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Phil Dibowitz >Release: 5.0-CURRENT >Organization: MSS Initiative >Environment: FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15 20:16:39 MET DST 2002 >Description: BUG OVERVIEW I believe there is a bug in the PMTUD (Path MTU Discovery) implementation in FreeBSD. According to RFC 1191, when using PMTUD all TCP datagrams must have the Don't Fragment (DF) bit set. It seems that FreeBSD does not fully obey this rule. On "SYN ACK" packets, the DF bit is not set. It is set on all other packets though (including SYN packets). The details are below - I have been unable to find any reason for this behavior. SEVERITY I don't consider this a big security hole, but it is a bug. It could be used to do TCP fingerprinting, and it also breaks a standard. DETAILS I have made available packet sniffer logs of both sides of a test at the following locations. http://home.earthlink.net/~jaymzh666/mss/snoop-log-solaris-to-bsd.gz http://home.earthlink.net/~jaymzh666/mss/tcpdump-log-bsd-to-solaris.gz The test systems were as follows: $ uname -a SunOS mort 5.9 s81_57 sun4u sparc SUNW,Sun-Blade-100 $ uname -a FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15 20:16:39 MET DST 2002 paulz@trantor.xs4all.nl:/usr/obj/usr/source/src/sys/trantor i386 If I can provide any more information, please let me know. >How-To-Repeat: Connect to a FreeBSD server with Path MTU Discovery Enabled, and check the SYN+ACK packet. >Fix: Set the DF bit on SYN+ACK packets when PMTUD is enabled. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message