[ previous ] [ next ] [ threads ]
 From:  "Manuel Kasper" <mk at neon1 dot net>
 To:  list at m0n0wall dot neon1 dot net
 Subject:  pb8 released!
 Date:  Wed, 30 Apr 2003 21:38:24 +0200 (CEST)
Good evening!
(at least to the part of the world where it's actually evening ;)

pb8 has just been released; new features:

- caching DNS forwarder, thanks to Bob Zoller! Great job again, dude!

- RADIUS server support for PPTP VPN (may be used with e.g. Microsoft IAS)

- bug in ipfilter's MSS clamping feature fixed

I've spent too much time again fixing bugs in other people's code. I
figured that ipfilter didn't fix up the MSS properly on some packets,
while it worked fine on others (MSS = maximum segment size; a TCP option;
fixing this up is necessary for PPPoE connections (DSL) since the MTU is
1492 instead of 1500 bytes because of the PPPoE header - all DSL routers
do that). At first it wasn't clear what exactly was causing the MSS
clamping to fail (I noticed it because my mail server was unable to
receive mail from users of a particular Swiss ISP while it worked fine
with others); extensive debugging with tcpdump and ethereal (sniffing raw
PPPoE frames between m0n0wall and my ADSL modem) showed only one
difference: the SYN packets on which ipfilter failed had MSS as their only
TCP option, while it worked with packets where MSS was followed by other
options (like timestamp or window scale).

With this in mind, I went over ipfilter's MSS clamping code and spotted
the mistake - an off-by-one security check (anti-buffer-overflow I
suppose) caused the clamping to fail for those packets. The fix is trivial
(spotting the mistake wasn't ;) - a patch is attached for those who are

The impact was that transferring more than 1452 bytes of data at once
from/to hosts which:

- do not send any TCP options other than MSS clamping in their SYN
  (as such the bug depended on the operating system of the hosts)
and, at the same time
- block ICMP "fragmentation needed" messages

was impossible.

I've reported the bug to the author of ipfilter, Darren Reed, on Monday,
but so far I haven't got a response. Since the fix is so obvious, I
decided to roll it into m0n0wall without waiting for his acknowledgement.

That's all for the moment; I guess I'll spend more time on "m0n0BSD" now. :)



--- sys/contrib/ipfilter/netinet/ip_nat.c.orig	Mon Apr 28 18:08:46 2003
+++ sys/contrib/ipfilter/netinet/ip_nat.c	Mon Apr 28 18:09:10 2003
@@ -2984,7 +2984,7 @@
 			if (&cp[1] >= ep)
 			advance = cp[1];
-			if (&cp[advance] >= ep)
+			if (&cp[advance] > ep)
 			switch (opt) {