FreeBSD Errata Notices
2008-Jun-19 06:54 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-08:02.tcp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-EN-08:02.tcp Errata Notice The FreeBSD Project Topic: TCP options padding Category: core Module: sys_netinet Announced: 2008-06-19 Credits: Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann Affects: 7.0-RELEASE Corrected: 2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE) 2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.freebsd.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP packets can contain "TCP options" which allow for enhancements to basic TCP functionality; depending on the length of these options, it may be necessary for padding to be added. II. Problem Description Under certain conditions, TCP options are not correctly padded. III. Impact A small number of firewalls have been reported to block incorrectly padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the result that an attempt to open a TCP connection to or from an affected host across such a firewall will fail. IV. Workaround Disabling RFC 1323 extensions and selective acknowledgments will eliminate the need for TCP option padding and restore interoperability. Note that disabling these features may cause a reduction in performance on high latency networks and networks that experience frequent packet loss. To disable these features, add the following lines to /etc/sysctl.conf: net.inet.tcp.rfc1323=0 net.inet.tcp.sack.enable=0 And then run "/etc/rc.d/sysctl restart" to make the change effective. V. Solution Perform one of the following: 1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 7.0 systems: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch # fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/netinet/tcp.h 1.40.2.1 src/sys/netinet/tcp_output.c 1.141.2.6 RELENG_7_0 src/UPDATING 1.507.2.3.2.6 src/sys/conf/newvers.sh 1.72.2.5.2.6 src/sys/netinet/tcp.h 1.40.4.1 src/sys/netinet/tcp_output.c 1.141.2.3.2.1 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/ TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3 =UlPD -----END PGP SIGNATURE-----