-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-EN-08:02.tcp                                      Errata Notice
                                                          The FreeBSD Project

Topic:          TCP options padding

Category:       core
Module:         sys_netinet
Announced:      2008-06-19
Credits:        Bjoern A. Zeeb, Mike Silbersack, Andre Oppermann
Affects:        7.0-RELEASE
Corrected:      2008-05-05 20:59:36 UTC (RELENG_7, 7.0-STABLE)
                2008-06-19 06:36:10 UTC (RELENG_7_0, 7.0-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.  TCP packets can contain "TCP options" which allow for
enhancements to basic TCP functionality; depending on the length of
these options, it may be necessary for padding to be added.

II.  Problem Description

Under certain conditions, TCP options are not correctly padded.

III. Impact

A small number of firewalls have been reported to block incorrectly
padded TCP SYN and SYN/ACK packets generated by FreeBSD 7.0, with the
result that an attempt to open a TCP connection to or from an affected
host across such a firewall will fail.

IV.  Workaround

Disabling RFC 1323 extensions and selective acknowledgments will
eliminate the need for TCP option padding and restore interoperability.
Note that disabling these features may cause a reduction in performance
on high latency networks and networks that experience frequent packet
loss.

To disable these features, add the following lines to /etc/sysctl.conf:

net.inet.tcp.rfc1323=0
net.inet.tcp.sack.enable=0

And then run "/etc/rc.d/sysctl restart" to make the change effective.

V.   Solution

Perform one of the following:

1) Upgrade your affected system to 7-STABLE, or the RELENG_7_0 security
branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 7.0 systems:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch
# fetch http://security.FreeBSD.org/patches/EN-08:02/tcp.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/sys/netinet/tcp.h                                          1.40.2.1
  src/sys/netinet/tcp_output.c                                  1.141.2.6
RELENG_7_0
  src/UPDATING                                              1.507.2.3.2.6
  src/sys/conf/newvers.sh                                    1.72.2.5.2.6
  src/sys/netinet/tcp.h                                          1.40.4.1
  src/sys/netinet/tcp_output.c                              1.141.2.3.2.1
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-08:02.tcp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkhaAaQACgkQFdaIBMps37KmwgCfdC7qerBUDdmxPLe6yKZEwb7/
TqwAoJGFuowGOY/oeEQr6/AQZm3zgRY3
=UlPD
-----END PGP SIGNATURE-----