Home page logo

bugtraq logo Bugtraq mailing list archives

Update: Subtle data corruption of TCP streams
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Fri, 24 Mar 2000 10:38:36 -0500

Apparently, once instance of this data corruption problem is caused
by an unnamed bandwidth management system.  It runs as a bridge,
and does not show up in traceroute etc. output.  We were able to
estimate its location (at 5 ms round-trip time from one endpoint)
by analyzing packet arrival times.

Until now, this TCP data corruption problem has been observed only
when one of the connection endpoints runs a recent LINUX version.
Sightings have been reported by sites in Germany and in France.

Only recent LINUX versions request the use of timestamp options
that cause the tell-tale patterns of "01 01 08 0a" in TCP packets,
and that end up being regurgitated as ^A^A^H^J data.

I have updated the analysis at ftp://ftp.porcupine.org/pub/debugging/


Wietse Venema:
This note is about a subtle data corruption problem with TCP data
streams that may bite people as more and more (LINUX) systems are
sending network traffic with TCP-level options turned on.

Last week, several Postfix users reported mail delivery failures
because sequences of control characters (for example, ^A^A^H) were
being inserted into their SMTP connections, resulting in SMTP
protocol errors and non-delivery of email.

These data corruption problems are not host specific: they are
observed with both Linux and BSD/OS systems, and with mail sent to
and/or received from systems running Postfix, Sendmail and qmail.

Over the weekend of March 18, 2000, a few people left tcpdump
running on their machines, in order to record some of these corrupted
SMTP sessions.  This note is based on an analysis of that data.

  By Date           By Thread  

Current thread:
  • Update: Subtle data corruption of TCP streams Wietse Venema (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]