lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 28 May 2008 19:30:37 -0700
From:	"Adam Langley" <>
Subject: SACK + MD5 overflows TCP options space

in tcp_output.c:tcp_transmit_skb we have:

	 * Are we doing MD5 on this segment? If so - make
	 * room for it.
	md5 = tp->af_specific->md5_lookup(sk, sk);
	if (md5)
		tcp_header_size += TCPOLEN_MD5SIG_ALIGNED;

However, the SACK option can be at least 18 bytes long (I've not
checked the code here, I've just observed a packet go by with that
much SACK in it). With alignment padding, that's 20 bytes. Plus 12
bytes of timestamp option (aligned). Then, adding 18 bytes of MD5SIG
rolls the TCP header size over and we produce garbage, right?

I'm only asking because I've a patch which adds a similar option and,
when SACK kicks in, I'm getting TCP header sizes of 0 or 8 bytes. If
there's a solution to the MD5 case that I'm missing I'd love to use
it. (Otherwise, I've another bodge up my sleeves)


Adam Langley
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists