IBM Support

The CVE-2018-6922 fix (FreeBSD vulnerability) and scp

Troubleshooting


Problem

After installing the fix for CVE-2018-6922 on AIX (APARs IJ09618 through IJ09625), scp may fail with a broken pipe error.
 

Symptom

The scp command fails with a broken pipe error.  Network traces show a lot of dropped and retransmitted packets.
 

Cause

The fix for CVE-2018-6922 adds a network option to limit the number of TCP segments held in the assembly queue to prevent all network memory from being consumed.  Prior to this fix, there was no limit to the size of the queue.  With the limit in place, TCP segments may be thrown away if there are too many to fit in the queue.  Because scp tries to maximize the available network bandwidth, it is susceptible to hitting this limit.
 

Diagnosing The Problem

The easiest way to confirm that this fix is the cause of the scp failure is to temporarily disable the TCP segment queue size limit by running this command.
 
no -o tcp_maxqueuelen=0
 
If scp is successful after making this change, the fix for CVE-2018-6922 is the cause of the scp problem.
 

Resolving The Problem

The tcp_maxqueuelen option must be tuned to a value that allows scp to succeed while still limiting the number of outstanding TCP segments to prevent all of network memory from being used.  The optimal setting will vary based on a variety of factors, the most impactful being network bandwidth and window size (which can increase the number of outstanding TCP segments in transit) and CPU (how fast scp can encrypt and decrypt data).
 
Double the value of tcp_maxqueuelen repeatedly until scp no longer fails.  (The default value is 1000.)  Then incrementally decrease the value until it starts failing again.  Finally, choose a value above the point where it starts failing which includes a reasonable buffer, such as 1000 or 2000 more.  To make this value permanent, run the following command.
 
no -p -o tcp_maxqueuelen= value
 
For example,
 
no -p -o tcp_maxqueuelen=12000
 

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation.

c.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your case

   -You can attach files to your case in the IBM Support Community
   -Or Upload data to IBM testcase server analysis:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

Document information

More support for: AIX family

Software version: All Versions

Operating system(s): AIX

Reference #: 0794755

Modified date: 25 March 2019