Hu Ruinan wrote: > Description: > When a TCP connection is in the ESTABLISHED state, OpenBSD's TCP > implementation incorrectly accepts a packet with an acknowledgment > number (ACK) smaller than expected and containing the FIN+ACK flags. > In my test, I sent such a FIN+ACK packet with a smaller ACK value and > OpenBSD accepted it, responded with FIN+ACK. > > According to RFC 9293, if the ACK is a duplicate, it can be ignored. If the > ACK acks something not yet sent, then send an ACK, drop the segment, and > return. > > I captured the trace using tcpdump on OpenBSD machine, and attached it at the > end of this report.
Hi Hu Ruinan, I noticed that you tested this on 7.6. I believe I am confirming your findings on 7.7. 16:15:39.552835 127.0.0.1.46346 > 127.0.0.1.1337: S 1486961020:1486961020(0) win 64224 <mss 1460,nop,eol> 16:15:39.552880 127.0.0.1.1337 > 127.0.0.1.46346: S 431368469:431368469(0) ack 1486961021 win 16384 <mss 32728> (DF) 16:15:39.552894 127.0.0.1.46346 > 127.0.0.1.1337: R 1486961021:1486961021(0) win 0 (DF) 16:15:39.619842 127.0.0.1.46346 > 127.0.0.1.1337: . ack 1 win 502 16:15:39.619862 127.0.0.1.1337 > 127.0.0.1.46346: R 431368470:431368470(0) win 0 (DF) 16:15:39.629098 127.0.0.1.46346 > 127.0.0.1.1337: F 1:1(0) ack 4294967292 win 502 16:15:39.629112 127.0.0.1.1337 > 127.0.0.1.46346: R 431368465:431368465(0) win 0 (DF) 16:15:39.949422 127.0.0.1.46346 > 127.0.0.1.1337: . ack 2 win 502 <nop,nop,eol> 16:15:39.949452 127.0.0.1.1337 > 127.0.0.1.46346: R 431368471:431368471(0) win 0 (DF) I tried to reproduce this with IPv6, but am not 100% sure scapy supports IPv6. -Henrich
