-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-EN-08:02.tcp Errata Notice
The FreeBSD Project
Topic: TCP options padding
Category: core
Module: sys_netinet
Announced: 2008-06-19
Credits: Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann
Affects: 7.0-RELEASE
Corrected: 2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE)
2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. TCP packets can contain "TCP options" which allow for
enhancements to basic TCP functionality; depending on the length of
these options, it may be necessary for padding to be added.
II. Problem Description
Under certain conditions, TCP options are not correctly padded.
III. Impact
A small number of firewalls have been reported to block incorrectly
padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the
result that an attempt to open a TCP connection to or from an affected
host across such a firewall will fail.
IV. Workaround
Disabling RFC 1323 extensions and selective acknowledgments will
eliminate the need for TCP option padding and restore interoperability.
Note that disabling these features may cause a reduction in performance
on high latency networks and networks that experience frequent packet
loss.
To disable these features, add the following lines to /etc/sysctl.conf:
net.inet.tcp.rfc1323=0
net.inet.tcp.sack.enable=0
And then run "/etc/rc.d/sysctl restart" to make the change effective.
V. Solution
Perform one of the following:
1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security
branch dated after the correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 7.0 systems:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/netinet/tcp.h 1.40.2.1
src/sys/netinet/tcp_output.c 1.141.2.6
RELENG_7_0
src/UPDATING 1.507.2.3.2.6
src/sys/conf/newvers.sh 1.72.2.5.2.6
src/sys/netinet/tcp.h 1.40.4.1
src/sys/netinet/tcp_output.c 1.141.2.3.2.1
- -------------------------------------------------------------------------
VII. References
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/
TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3
=UlPD
-----END PGP SIGNATURE-----