From nobody@www.freebsd.org  Tue Jun 11 00:35:27 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 2E2CA37B409
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jun 2002 00:35:27 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5B7ZRhG050244
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jun 2002 00:35:27 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5B7ZQi7050243;
	Tue, 11 Jun 2002 00:35:26 -0700 (PDT)
Message-Id: <200206110735.g5B7ZQi7050243@www.freebsd.org>
Date: Tue, 11 Jun 2002 00:35:26 -0700 (PDT)
From: Phil Dibowitz <mss@ipom.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Broken PTMUD
X-Send-Pr-Version: www-1.0

>Number:         39141
>Category:       kern
>Synopsis:       Broken PTMUD
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    silby
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 11 00:40:01 PDT 2002
>Closed-Date:    Mon Aug 19 15:01:07 PDT 2002
>Last-Modified:  Mon Aug 19 15:01:07 PDT 2002
>Originator:     Phil Dibowitz
>Release:        5.0-CURRENT
>Organization:
MSS Initiative
>Environment:
FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15
20:16:39 MET DST 2002
>Description:
BUG OVERVIEW
I believe there is a bug in the PMTUD (Path MTU Discovery) implementation in FreeBSD. According to RFC 1191, when using PMTUD all TCP datagrams must have the Don't Fragment (DF) bit set. It seems that FreeBSD does not fully obey this rule. On "SYN ACK" packets, the DF bit is not set. It is set on all other packets though (including SYN packets). The details are below - I have been unable to find any reason for this behavior.

SEVERITY
I don't consider this a big security hole, but it is a bug. It could be used to do TCP fingerprinting, and it also breaks a standard.

DETAILS
I have made available packet sniffer logs of both sides of a test at the following locations.
http://home.earthlink.net/~jaymzh666/mss/snoop-log-solaris-to-bsd.gz
http://home.earthlink.net/~jaymzh666/mss/tcpdump-log-bsd-to-solaris.gz

The test systems were as follows:
$ uname -a
SunOS mort 5.9 s81_57 sun4u sparc SUNW,Sun-Blade-100
$ uname -a
FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15
20:16:39 MET DST 2002
paulz@trantor.xs4all.nl:/usr/obj/usr/source/src/sys/trantor i386

If I can provide any more information, please let me know.


>How-To-Repeat:
Connect to a FreeBSD server with Path MTU Discovery Enabled, and check the SYN+ACK packet.
>Fix:
Set the DF bit on SYN+ACK packets when PMTUD is enabled.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->silby 
Responsible-Changed-By: silby 
Responsible-Changed-When: Tue Jun 11 17:53:37 PDT 2002 
Responsible-Changed-Why:  
I'll handle this soon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39141 
State-Changed-From-To: open->closed 
State-Changed-By: silby 
State-Changed-When: Mon Aug 19 15:00:50 PDT 2002 
State-Changed-Why:  
Changes are fully MFC'd now, issue closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39141 
>Unformatted:
