lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Jan 2007 17:12:47 +0300 From: Michael Tokarev <mjt@....msk.ru> To: Herbert Xu <herbert@...dor.apana.org.au> CC: netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net> Subject: Re: rare bad TCP checksum with 2.6.19? Herbert Xu wrote: > On Tue, Jan 16, 2007 at 11:08:51AM +0300, Michael Tokarev wrote: >> Ok. Here's another trace, from that remote network that triggers >> this thing more-or-less reliable (every 2nd transfer at least) -- >> http://www.corpit.ru/mjt/bh-bad-cksum-dmp.bin . It's a full session >> between 216.168.29.244 - the requesting/receiving side -- and >> 81.13.94.6 -- our sending side (the file being transferred is some >> trojan horse I found on a friend's PC, so be careful ;) > > I'll have a look at this tomorrow. > > Since you're certain that this is being seen on the wire, one > possibility is that we've got a bug somewhere that's zeroing > skb->ip_summed on a packet with a partial checksum. Here's another sample, which may be more useful. I've seen quite alot of very similar stuff while running tcpdump. http://www.corpit.ru/mjt/bad-cksum-session3-dmp.bin The scenario looks like this. A client (82.84.172.37 -- a zombie machine trying to send us spam in this case) connects to a port 25 here (81.13.94.6:25). SYN+ACK sequence completes. Next, our server send an initial SMTP greething message, but almost right after that, the client sends a FIN packet, WITHOUT acknowleging that it received the (first and only) data packet. So some time later our machine re-sends the data, AND adds FIN flag to the packet (also replying to the FIN received from the client). And *that* packet - original data packet which is modified to also include FIN - has incorrect checksum. So it looks like the checksum isn't being updated WHEN ADDING MORE FLAGS to the original data packet. /mjt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists