Bug 82002 - Responding to bogus SYN, Linux repeats SYN+ACK despite RST
Responding to bogus SYN, Linux repeats SYN+ACK despite RST
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-16 02:48 EST by Matthew Braithwaite
Modified: 2007-04-18 12:50 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-25 18:52:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Solaris 7 reacting to a forged SYN (250 bytes, application/octet-stream)
2003-01-16 02:50 EST, Matthew Braithwaite
no flags Details
Linux reacting to a forged SYN (1000 bytes, application/octet-stream)
2003-01-16 02:51 EST, Matthew Braithwaite
no flags Details
Program to generate forged SYN (877 bytes, text/plain)
2003-01-16 03:03 EST, Matthew Braithwaite
no flags Details

  None (edit)
Description Matthew Braithwaite 2003-01-16 02:48:26 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; FreeBSD i386; U;) Gecko/0

Description of problem:
I can't quote chapter and verse, but the following behavior seems obviously
wrong, and it differs from another OS (Solaris) chosen at random for comparison.

Let A be a Linux box running RedHat 7.3, kernel=2.4.18-10bigmem.

When A receives a forged SYN from B, A sends B a SYN+ACK.  B then sends A a RST,
since the initial SYN is forged.

You'd think it'd end there.  But no, A keeps sending SYN+ACK to B for a long
time, despite receiving an RST in response to every one.

I will append tcpdumps showing how Linux and Solaris react differently.  As one
would expect, Solaris stops the three-way handshake immediately after receiving
the RST.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Using libnet, forge a SYN from your own IP address to a Linux box.  

Additional info:
Comment 1 Matthew Braithwaite 2003-01-16 02:50:10 EST
Created attachment 89404 [details]
Solaris 7 reacting to a forged SYN

This is the behavior that seems reasonable to me.
Comment 2 Matthew Braithwaite 2003-01-16 02:51:07 EST
Created attachment 89405 [details]
Linux reacting to a forged SYN

This is how Linux reacts.  This seems wrong to me.
Comment 3 Matthew Braithwaite 2003-01-16 03:03:54 EST
Created attachment 89406 [details]
Program to generate forged SYN

Requires libnet
Comment 4 Arjan van de Ven 2003-01-16 05:08:48 EST
this is something that should be fixed in a more recent erratum kernel.
Comment 5 Matthew Braithwaite 2003-01-16 10:49:00 EST
> this is something that should be fixed in a more recent erratum kernel.

I'm unclear whether that means that it *is* fixed or that it *will be* fixed. 
(If the former -- in what version?)
Comment 6 Arjan van de Ven 2003-01-16 10:57:34 EST
it's believed to be fixed in the current erratum for 7.3, eg version 2.4.18-19.7.x
(which is the 3rd erratum since 2.4.18-10)

Comment 7 Matthew Braithwaite 2003-02-25 18:52:34 EST
I confirm that this is fixed in 2.4.18-24.7.xbigmem.  Thanks.  Resolving
CURRENTRELEASE. 

Note You need to log in before you can comment on or make changes to this bug.