I've traced down an off-by-one TCP checksum calculation error under
the following conditions:
1) The TCP code needs to split a full-sized packet due to a reduced
MSS (typically due to the addition of TCP options mid-stream like
2) The checksum of the 2nd fragment is larger than the checksum of the
original packet. After subtraction this results in a checksum for
the 1st fragment with bits 16..31 set to 1. (this is ok)
3) The checksum of the 1st fragment's TCP header plus the previously
32bit checksum of the 1st fragment DOES NOT cause a 32bit overflow
when added together. This results in a checksum of the TCP header
plus TCP data that still has the upper 16 bits as 1's.
4) The TCP+data checksum is added to the checksum of the pseudo IP
header with csum_tcpudp_nofold() incorrectly (the bug).
The problem is the checksum of the TCP+data is passed to
csum_tcpudp_nofold() as an 32bit unsigned value, however the assembly
code acts on it as if it is a 64bit unsigned value.
This causes an incorrect 32->64bit extension if the sum has bit 31
set. The resulting checksum is off by one.
This problems is data and TCP header dependent due to #2 and #3
above so it doesn't occur on every TCP packet split.
Patch below is against 2.6.20, however this problem looks like it's
been around since at least Aug 2003 when the 64bit ASM was added to
Signed-off-by: Dave Johnson <email@example.com>
--- old/include/asm-mips/checksum.h 2007-01-24 14:23:22 -05:00
+++ new/include/asm-mips/checksum.h 2007-04-18 10:31:27 -04:00
@@ -166,7 +166,7 @@
"r" (proto + len),
- "r" (sum));
+ "r" ((__force unsigned long)sum));