[tcpm] TCP segment reassembly vulnerability

Loganaden Velvindron <loganaden@gmail.com> Thu, 09 August 2018 18:43 UTC

Return-Path: <loganaden@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BED4130EA9 for <tcpm@ietfa.amsl.com>; Thu, 9 Aug 2018 11:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgmNQpCTqxJv for <tcpm@ietfa.amsl.com>; Thu, 9 Aug 2018 11:43:12 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2EB4130EAC for <tcpm@ietf.org>; Thu, 9 Aug 2018 11:43:11 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id l7-v6so1759647iok.6 for <tcpm@ietf.org>; Thu, 09 Aug 2018 11:43:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=yInQewE1YEm257AMFtGqWMgihHSuHLCey4qF6XGLJz4=; b=rjxBF7mo51pn9Be8JCruQuvrhrWxsgFe+7ikY/Bhe83OKabyj4E3JsOlKA4b5vyIpb nNI/Fd4iRO8ZAJW2PDJD5jGtMNLupBWvAb06saQuao8g/LocdL+Yo7CvQ2SLbSXqzIMC DoW4+v3Imxe/2F0dukPJ19vhywORJuSW+lgMAffbAa3+BCe8GhNIeIz1h5XXQU/cVC8r 1z/bfPTYlYLFBD/1L3JhDus0urBMa6zRKnmpsZTqLbbGhSAn9xNTb1T0YkGldohIDD1F Ky9VbarfnMDH1868bTUy1IZt9j9c8wyu06VnYRztl/wHdTHn3CQqXWvAjqVoUliDIf0A o+CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yInQewE1YEm257AMFtGqWMgihHSuHLCey4qF6XGLJz4=; b=HkkSpuP7PONlvJhNil7VljNd8nTlPwqVgxNRRHAYzBvswNaZ3xDrwUbzRnwBOLdago wDef2yiCqc/ZXDa7G42t/lNLfwhekFYgohMOw3nhBBGKaVE9aIyuk5KPI61/onZQp2r/ 0c0iSiFsaSR+L0Sgecix5JzOvfpqc9OYcNBvB64+ojgOWY7dMsK0EeLuQaFH8kl4p0tP Vi7Ll5B17p84m9Urey5g4ai0O3+JgmQLA6mmORqFPkCWW19gTH3SfA3hjZbhRe2TAtT/ ZynDQc9UAHHKg/9+FABz6azswQFmA69G4xDPWMnCnOWQcFi+je+M93lMWlqGkVgHaGYQ ADYA==
X-Gm-Message-State: AOUpUlExI4o0qIPpegDVIY6zYyHRFLkd4HTSAAl2XjecoWBzjc/5UpXU YYL/wrMLpmoxXUrF58CvetSJWJd/A5B8Ac9eeqTi3t/3
X-Google-Smtp-Source: AA+uWPznK8B+SuwjCB7e0FFoFVfIce9rJgUeJa4f/kjkXCtR5HH351LFqSibhQIqIb2zN/zUxbppw/SdIvfcbrRJ/Ak=
X-Received: by 2002:a6b:cc03:: with SMTP id c3-v6mr2690239iog.191.1533840190697; Thu, 09 Aug 2018 11:43:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:5e47:0:0:0:0:0 with HTTP; Thu, 9 Aug 2018 11:43:10 -0700 (PDT)
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Thu, 9 Aug 2018 22:43:10 +0400
Message-ID: <CAOp4FwRpO1t5hqv-QGfDi3G7SSRy43Kf+GEirDT24GFJh8r03Q@mail.gmail.com>
To: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/jqZPldrf9uG-HQQdGAovzKPhgak>
Subject: [tcpm] TCP segment reassembly vulnerability
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 18:43:15 -0000

It appears to be an issue on multiple implementations. AFAIK, it's due
to lack of limits for the reassembly logic when the segments enter the
queue.

FreeBSD:
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc

Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e

Perhaps it might be worth documenting those solutions and possible workarounds.


Thoughts ?