Bug 82002 - Responding to bogus SYN, Linux repeats SYN+ACK despite RST
Summary: Responding to bogus SYN, Linux repeats SYN+ACK despite RST
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel   
(Show other bugs)
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-16 07:48 UTC by Matthew Braithwaite
Modified: 2007-04-18 16:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-25 23:52:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Solaris 7 reacting to a forged SYN (250 bytes, application/octet-stream)
2003-01-16 07:50 UTC, Matthew Braithwaite
no flags Details
Linux reacting to a forged SYN (1000 bytes, application/octet-stream)
2003-01-16 07:51 UTC, Matthew Braithwaite
no flags Details
Program to generate forged SYN (877 bytes, text/plain)
2003-01-16 08:03 UTC, Matthew Braithwaite
no flags Details

Description Matthew Braithwaite 2003-01-16 07:48:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; FreeBSD i386; U;) Gecko/0

Description of problem:
I can't quote chapter and verse, but the following behavior seems obviously
wrong, and it differs from another OS (Solaris) chosen at random for comparison.

Let A be a Linux box running RedHat 7.3, kernel=2.4.18-10bigmem.

When A receives a forged SYN from B, A sends B a SYN+ACK.  B then sends A a RST,
since the initial SYN is forged.

You'd think it'd end there.  But no, A keeps sending SYN+ACK to B for a long
time, despite receiving an RST in response to every one.

I will append tcpdumps showing how Linux and Solaris react differently.  As one
would expect, Solaris stops the three-way handshake immediately after receiving
the RST.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Using libnet, forge a SYN from your own IP address to a Linux box.  

Additional info:

Comment 1 Matthew Braithwaite 2003-01-16 07:50:10 UTC
Created attachment 89404 [details]
Solaris 7 reacting to a forged SYN

This is the behavior that seems reasonable to me.

Comment 2 Matthew Braithwaite 2003-01-16 07:51:07 UTC
Created attachment 89405 [details]
Linux reacting to a forged SYN

This is how Linux reacts.  This seems wrong to me.

Comment 3 Matthew Braithwaite 2003-01-16 08:03:54 UTC
Created attachment 89406 [details]
Program to generate forged SYN

Requires libnet

Comment 4 Arjan van de Ven 2003-01-16 10:08:48 UTC
this is something that should be fixed in a more recent erratum kernel.

Comment 5 Matthew Braithwaite 2003-01-16 15:49:00 UTC
> this is something that should be fixed in a more recent erratum kernel.

I'm unclear whether that means that it *is* fixed or that it *will be* fixed. 
(If the former -- in what version?)

Comment 6 Arjan van de Ven 2003-01-16 15:57:34 UTC
it's believed to be fixed in the current erratum for 7.3, eg version 2.4.18-19.7.x
(which is the 3rd erratum since 2.4.18-10)



Comment 7 Matthew Braithwaite 2003-02-25 23:52:34 UTC
I confirm that this is fixed in 2.4.18-24.7.xbigmem.  Thanks.  Resolving
CURRENTRELEASE. 


Note You need to log in before you can comment on or make changes to this bug.