[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Failed TCP connection reset when processing overlapping data segments

Dear mirage-tcpip development team,

I am Lucas Aubard. I am a PhD student in an Inria lab in Rennes, France.
This PhD is supervised by Gilles Guette (IMT Atlantique), Pierre Chifflier (ANSSI) and Johan Mazel (ANSSI).

During our research work, we analyzed mirage-tcpip 9.0.0 reassembly when processing overlapping TCP data segments. We noticed something weird for some of our test cases.

The testing scenario for every test case is as follow:
  • a handshake is initiated from 192.168.56.200 host to 192.168.57.203 mirage-tcpip host, targetting its TCP Echo port 7.
  • the overlapping data chunks are sent from the initiator.
  • the initiator resets the TCP connection with a RST+ACK packet.
Every packet that mirage-tcpip host echoes back is acknowledged by the initiator.

In the impacted test cases, mirage-tcpip echoes some data but not the maximum possible amount of data. In fact, from what we observe across mirage test case reassemblies, it does not echo back overlapping data segments. This may be related to this part of mirage-tcpip code https://github.com/mirage/mirage-tcpip/blob/6766a3f0b34695e19797a1264697d3dd1343c73e/src/tcp/segment.ml#L151. The following termination of the TCP connections with a RST+ACK packet fails.
We believe that mirage-tcpip considers that the RST+ACK packet sequence number is invalid because it is located after all sent data (including the overlapping segments). Since mirage-tcpip does not echo the maximum possible amount of data, we hypothesize that the initiator SND.NXT internal variable is not the same as the RCV.NXT value in mirage-tcpip.

Attached are the pcap files and plots for some (random) overlap test cases illustrating the problem.
You can see in the pcap files that mirage-tcpip sends an ACK after the RST+ACK packets whose acknowledgment is not related to the last data sent by the initiator.
This means that mirage does not consider the sequence number of the RST+ACK packet as valid, ignores this RST+ACK packet, and does not close the TCP connection. Mirage here expects data that follows the last valid data it observed.

Can you confirm that our understanding of the mirage-tcpip TCP stack behavior is correct, in particular in term of data overlap and sequence number processing?

Best regards,
Lucas Aubard.

Attachment: pcaps.zip
Description: Zip archive

Attachment: plots.zip
Description: Zip archive

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.