From Spiros Antonatos:
We recently discovered a bug in the honeyd implementation of TCP stack.
When an ACK is delayed and comes after fresh data has arrived, then honeyd
falls into an infinite loop.
More specifically, the line
acked = th_ack - con->snd_una;
in the TCP_RECV_SEND_DATA macro (honeyd.c file) causes an integer overflow
when a delayed ACK
is received and thus honeyd considers an amount of more than 4GB to be
acked.
We hunted the bug as follows. In the TCP_CHECK_SEQ_OR_ACK macro (honeyd.c
file)
there is a code that checks delayed packets:
if (TCP_SEQ_LT(th_ack, con->snd_una)) { \
if (tcp->th_flags & TH_RST) \
goto drop; \
}\
but only treats RST packets. We commented out the " if (tcp->th_flags &
TH_RST)"
and thus all delayed ack packets are ignored. We tested our fix and does not
break any connections
and transfers.
Original issue reported on code.google.com by pro...@gmail.com on 2 Feb 2008 at 8:52
Original issue reported on code.google.com by
pro...@gmail.comon 2 Feb 2008 at 8:52