deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-22:25.tcp

Hash: SHA512

FreeBSD-EN-22:25.tcp                                      Errata Notice
                                                          The FreeBSD Project

Topic:          Possible data corruption with TCP SACK retransmissions

Category:       core
Module:         tcp
Announced:      2022-08-28
Credits:	Richard Scheffenegger
Affects:        FreeBSD 13.1
Corrected:      2022-09-14 01:28:03 UTC (stable/13, 13.1-STABLE)
                2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit

I.   Background

TCP supports an enhancement that allows faster recovery and retransmission of
data when loss is discovered called Selected Acknowledgements (SACK).

SACK allows a TCP sender to communicate more information about which segments
are lost. During a SACK episode a TCP sender will reduce its rate to avoid
causing congestion on the network.

II.  Problem Description

A change made to make TCP more resilient and effective when handling loss
recovery by SACK, could lead to connection interruption when incoming ACKs
suddenly no longer contain SACK blocks.

III. Impact

This can lead to correct data being placed at the wrong offset in the
stream in a non-deterministic manner. This can result in termination of
the TCP connection by the application or in the worst case silent data

IV.  Workaround

Disable SACK globally by setting the net.inet.tcp.sack.enable sysctl to 0:

    # sysctl net.inet.tcp.sack.enable=0

Note that this will only affect new connections. Thus, either persist the
setting in /etc/sysctl.conf and reboot, or ensure that any critical connections
are restarted after modifying the sysctl setting.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

A reboot is required for these changes to be applied.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

A reboot is required for these changes to be applied.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch
# gpg --verify tcp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              2b8ee332b938  stable/13-n252399
releng/13.1/                            dd35207e2025  releng/13.1-n250162
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:


To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

The latest revision of this advisory is available at