Predictable ISN + ARP poisoning + TCP underflow

[CupCupRay]

Summary

The TCP/IP stack has three input validation issues: predictable ISN enables TCP session hijacking, ARP cache has no request verification enabling MITM, and TCP data_offset can cause integer underflow.

Details

1. Predictable TCP Initial Sequence Number

kernel/net/tcp_ip.c:611-616:

static uint32_t tcp_isn_counter = 0x12345678;  // hardcoded seed
static uint32_t tcp_generate_isn(void) {
    tcp_isn_counter = tcp_isn_counter * 1103515245 + 12345;  // standard rand()
    return tcp_isn_counter;
}

An attacker who sniffs one SYN packet can predict all future ISNs (standard LCG), enabling TCP session hijacking (RST injection, data injection).

2. ARP cache poisoning — no request validation

kernel/net/tcp_ip.c:380-403 — arp_add() accepts any ARP reply without verifying it corresponds to an outstanding request. Gratuitous ARP is accepted unconditionally. An attacker on the same network can poison the ARP cache for MITM attacks.

3. TCP data_offset integer underflow

kernel/net/tcp_ip.c:769-770:

size_t header_len = ((tcp->data_offset >> 4) & 0xF) * 4;
size_t data_len = tcp_len - header_len;  // underflow if header_len > tcp_len

A malicious packet with data_offset making header_len > tcp_len causes data_len to underflow. This leads to protocol state confusion and incorrect ACK computation.

Suggested Fixes

1. Use a CSPRNG for ISN generation (see RFC 6528)
2. Verify ARP replies correspond to pending requests; add rate limiting
3. Add validation: if (header_len < 20 || header_len > tcp_len) return;

Impact

MEDIUM — TCP session hijacking, MITM via ARP spoofing, protocol state confusion.