-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-EN-08:02.tcp Errata Notice The FreeBSD Project Topic: TCP options padding Category: core Module: sys_netinet Announced: 2008-06-19 Credits: Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann Affects: 7.0-RELEASE Corrected: 2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE) 2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP packets can contain "TCP options" which allow for enhancements to basic TCP functionality; depending on the length of these options, it may be necessary for padding to be added. II. Problem Description Under certain conditions, TCP options are not correctly padded. III. Impact A small number of firewalls have been reported to block incorrectly padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the result that an attempt to open a TCP connection to or from an affected host across such a firewall will fail. IV. Workaround Disabling RFC 1323 extensions and selective acknowledgments will eliminate the need for TCP option padding and restore interoperability. Note that disabling these features may cause a reduction in performance on high latency networks and networks that experience frequent packet loss. To disable these features, add the following lines to /etc/sysctl.conf: net.inet.tcp.rfc1323=0 net.inet.tcp.sack.enable=0 And then run "/etc/rc.d/sysctl restart" to make the change effective. V. Solution Perform one of the following: 1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 7.0 systems: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch # fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/netinet/tcp.h 1.40.2.1 src/sys/netinet/tcp_output.c 1.141.2.6 RELENG_7_0 src/UPDATING 1.507.2.3.2.6 src/sys/conf/newvers.sh 1.72.2.5.2.6 src/sys/netinet/tcp.h 1.40.4.1 src/sys/netinet/tcp_output.c 1.141.2.3.2.1 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/ TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3 =UlPD -----END PGP SIGNATURE-----