Patch-ID# 103582-24 Keywords: security telnet ftp single tcp NDD web RTO FIN ack TLI delay output Synopsis: SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch Date: Oct/20/99 Solaris Release: 2.5.1 SunOS Release: 5.5.1 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 103581 Xref: This patch available for PPC as patch 103583 Topic: SunOS 5.5.1: /kernel/drv/tcp and /usr/bin/netstat patch NOTE: Refer to Special Install Instructions section for IMPORTANT specific information on this patch. BugId's fixed with this patch: 1182957 1206850 1233827 1248840 1249829 1250411 1259524 1261245 4005586 4011648 4015495 4017242 4022642 4034353 4034355 4043513 4052115 4069902 4089811 4128642 4143932 4178455 4205451 4217171 4273072 Changes incorporated in this version: 4273072 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: NOTE: iss_sparc-01 (or newer) Patches required with this patch: 103630-08 (or newer) Obsoleted by: Files included with this patch: /kernel/drv/tcp /usr/bin/netstat Problem Description: 4273072 panic in tcp_accept() only on 2.5.1 (from 103582-23) 4217171 2.5.1 Patch #103582-20 causes panic. (or 103582-15, but not -18???) (from 103582-22) 4205451 Output delayed when rsh -n from 5.5.1 to 5.6 (from 103582-21) 4217171 Patch 103582-20 causes panic (from 103582-20) 4178455 recursive mutex_enter panic in TCP Streams device driver (from 103582-19) 4128642 systems generate multiple old-broadcast tcp packets making the network useless (from 103582-18) 4143932 using explicit IP address to bind to a port in use fails on 2.5.1, but no on 2.6 (from 103582-17) 4089811 103582-11 patch fix for bug 1182957 causes Sybase server to hang This patch revision was generated to fix a typo in the original bugfix 4089811. (from 103582-16) 4089811 bugfix 1182957 causes Sybase server to hang (from 103582-15) 4069902 TCP in 2.5.1 should have similar slow start mechanism as in 2.6 (from 103582-14) This revision is generated to establish a dependency on the ip patch (103630-08 or newer). (from 103582-13) 4005586 netstat locks up TCP for too long due to inefficient code (from 103582-12) 4052115 putback of 1182957 broke an earlier fix 4043513 TCP Simultaneous Open feature does not work (from 103582-11) 1182957 SYNs can be sinful The bug that this patch addresses causes the system to become unusable to certain ports that come under SYN attack. During the SYN attack the attacker fills up the listen queue of the application, due to which additional incoming connections on the same port are dropped. By carefully timing these bogus SYNs an attacker can block out all legitimate incoming connections. (from 103582-10) 4034355 Solaris ignores KEEPALIVE probes without data 4034353 TCP/IP sometimes forgets PSH after sending URG. (from 103582-09) 1250411 rcp receives "random" connection reset by peer (from 103582-08) 4017242 PDB-System crash with BAD TRAP (from 103582-07) 4015495 connect deadlock when ephemeral port is same as dest port (from 103582-06) 4022642 TLI application causes Data Fault system panics (from 103582-05) 4011648 Fix for bug 1248840 introduces performance degradation in rsh (from 103582-04) 1259524 deadbeef panic in tcp_xmit_mp() (from 103582-03) 1261245 window probes can cause ack wars (from 103582-02) 1248840 TCP socket can't handle FIN pkt from client surely (deadlock) Fixed code to avoid system panic due to deallocated tcp structure. (from 103582-01) 1249829 connection times out if remote only sends zero-windows A connection that sends a zero window for more than tcp_ip_abort_interval interval will have the connection terminated. 1248840 TCP socket can't handle FIN pkt from client surely (deadlock) 1233827 tcp retransmits too much for short connections as seen at web sites 1206850 Solaris 2.4, telnet/ftp error in single user mode. Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- If the reason to install this patch is to fix bugid 1233827 (tcp retransmits too much for short connections as seen at web sites), the 2.5.1 ip patch (103630-01 or newer) is also required. NOTE: We recommend installing the following patches to get the complete support for large IP addresses: 103594-10 (or newer) usr/lib/sendmail fixes 104331-03 (or newer) usr/sbin/rpcbind patch 104956-01 (or newer) usr/sbin/in.rarpd patch 104958-01 (or newer) usr/sbin/in.rdisc patch 104960-01 (or newer) usr/sbin/snoop patch