Disclaimer: 

Please note: Although OBSOLETED patches are available on SunSolve, Sun recommends using the most recent patches and the most recent revision of those patches. OBSOLETED patches do not include the latest bug fixes and/or product enhancements, and may require the installation of additional patches as a corrective measure.

Status: OBSOLETE

Patch Id: 119435-23

***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************

Summary: Obsoleted by: 119435-24 SunOS 5.9_x86: ip patch

Date:  Apr/23/2008

Installation Requirements:

Reboot immediately after installing this patch on an active boot environment to bring the system to a consistent state. An alternative may be specified in the Special Install Instructions.                      
                      Use Single User Mode (run level S) when installing this patch on an active boot environment.  An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

Sun OS Release: 5.9_x86

Unbundled Product: 

Unbundled Release: 

Xref: This patch available for SPARC as patch 114344

Topic: 

SunOS 5.9_x86: ip patch

Relevant Architecture: i386

BugId's fixed with this patch:

4157198 4294701 4511681 4658177 4685978 4690625 4691277 4708720 4727825 4758660 4773220 4775897 4777295 4796820 4803389 4808860 4825472 4834142 4837086 4846184 4867136 4963675 4978063 5013238 5019039 5078640 5079629 5084073 5084452 5089150 5094229 6176096 6210681 6212756 6214946 6220619 6227733 6229034 6235832 6240205 6241739 6251862 6257723 6259389 6259467 6276464 6301112 6310343 6313308 6332525 6354773 6395535 6395540 6402737 6459412 6463069 6493627 6521112 6532784 6561086 6564842 6621380

Changes incorporated in this version:

6402737

Patches accumulated and obsoleted by this patch:

114859-04 114925-07 115013-01 115015-01 117470-09 119446-02

Patches which conflict with this patch: 

Required Patches:

115684-02 117172-17 (or greater)

Obsoleted by:

Files Included in this Patch: 

/kernel/drv/arp
/kernel/drv/icmp
/kernel/drv/ip
/kernel/drv/ipsecah
/kernel/drv/spdsock
/kernel/drv/tcp
/kernel/drv/udp
/kernel/strmod/arp
/kernel/strmod/icmp
/kernel/strmod/ip
/kernel/strmod/ipsecah
/kernel/strmod/tcp
/kernel/strmod/udp
/sbin/in.mpathd
/usr/include/inet/arp.h
/usr/include/inet/ip.h
/usr/include/inet/ip_if.h
/usr/include/inet/tcp.h
/usr/include/ipmp.h
/usr/include/ipmp_mpathd.h
/usr/include/ipmp_query.h
/usr/include/net/if.h
/usr/include/netinet/in.h
/usr/lib/abi/abi_libipmp.so.1
/usr/lib/adb/tcp
/usr/lib/inet/in.mpathd
/usr/lib/libipmp.so
/usr/lib/libipmp.so.1
/usr/lib/llib-lipmp
/usr/lib/llib-lipmp.ln
/usr/sbin/if_mpadm

Problem Description: 

6402737 IP spends too much time identifying bad remote host when under SYN attack
 
(from 119435-22)
 
6621380 panic in ip_rput_local_options caused by IP-in-IP packet
 
(from 119435-21)
 
5079629 Multicast joins may fail due to holes in arp and IP
 
(from 119435-20)
 
4773220 provide API to set source address of UDP/IPv4 datagrams
6240205 reassembly code for IP fragments can allow to pass wrong IP header up
6564842 assertion failed: ire->ire_type != 0x0020, file: ../../common/inet/ip/ip.c, line : 4253
 
(from 119435-19)
 
6532784 no-op SIOCSLIFFLAGS from in.mpathd impact performance under stress tests
 
(from 119435-18)
 
6561086 patch 114344-25 affects Oracle/RAC performance dramatically
 
(from 119435-17)
 
6459412 ip_strict_dst_multihoming does not handle multiple i/f with the same ip address
 
(from 119435-16)
 
4758660 panic in IP forwarding path after unplumb due to stale b_queue
 
(from 119435-15)
 
6176096 DoS attack on IP fragment handling
6210681 null pointer in ill_frag_free_pkts
6259467 ill_frag_prune() can be invoked with a negative number as second argument
 
(from 119435-14)
 
6493627 119435-13 needs to accumulate 119446-02
 
(from 119435-13)
 
4157198 ARP cache inconsistency between arp and ip modules
4978063 SO_DONTROUTE option causes ARP traffic for every frame
6463069 fix for CR 4157198 causes neg_advice_on_R1_{conn_a,conn_p,est} test failure
 
(from 119435-12)
 
6301112 Mangled Neighbor Solicitation messages out of Solaris in an IPMP configuration with IPv6
6310343 IPMP selects failed interfaces link local address
6395535 IPMP configured system will reply with MAC/Link local address mismatch for ICMP echo reply
 
(from 119435-11)
 
4825472 IPMPs in.mpathd causes unnecessary failovers if started without usable routers
5019039 in.mpathd induces icmp hurricanes in single-router environments
 
(from 119435-10)
 
4294701 2 same routing entries for loopback interfaces
6241739 reassembly of an ipv6 frag of frag causes fault
 
(from 119435-09)
 
        This revision addresses patch construction issues.
 
(from 119435-08)
 
6257723 source address selection is wrong if IPMP is enabled
 
(from 119435-07)
 
4796820 IPMP starts outgoing traffic on failed interface with option FAILBACK=no
5084073 fix for 4796820 is not enough
6220619 IGMP messages are not sent out when interfaces fail over
6332525 when NIC goes down temporarily before accept(), tcp connection is made IDLE
 
(from 119435-06)
 
6227733 need improved scalability in ipsec policy engine
4867136 ipsec_find_sel may return holding the HASH_LOCK
 
(from 119435-05)
 
4690625 logging doesn't seem to happen anymore
 
(from 119435-04)
 
4658177 panic while doing ifconfig addif on a partially configured tunnel
 
(from 119435-03)
 
6212756 UDP checksum 0x0000 not substituted with 0xffff for UDP over IPv6 packets
 
(from 119435-02)
 
4963675 Multicast Routing does not work over IP-in-IP tunnels (e.g. ip.tunXXX)
 
(from 119435-01)
 
6235832 panic in ip module during e1000g bind processing
 
(from 114925-07)
 
6229034 in.mpathd will abort on deferred probes with 0ms round-trip times
 
(from 114925-06)
 
4691277 IPMP wraps probe sequence numbers incorrectly
 
(from 114925-05)
 
5013238 in.mpathd prints "Cannot meet requested failure detection time" frequently
5078640 in.mpathd uses the probe_interval as a global variable
 
(from 114925-04)
 
4837086 CMSG_FIRSTHDR should return NULL when controllen == 0
 
(from 114925-03)
 
4803389 in.mpathd's lightweight router target selection logic KO'd by 4673190
4834142 redundant call to phyint_repaired() in initifs() can "lose" a probe
 
(from 114925-02)
 
4777295 PSARC/2002/615 IP Multipathing Query Interface
4775897 events for the ipmp anonymous group should be just like named groups
 
(from 114925-01)
 
4685978 IPMP does not detect NIC repair when only one of the two targets is up
4808860 mpathd deletes target list of phyints in all groups when link fails in one group
 
(from 115013-01)
 
4777295 PSARC/2002/615 IP Multipathing Query Interface
4775897 events for the ipmp anonymous group should be just like named groups
 
(from 115015-01)
 
4777295 PSARC/2002/615 IP Multipathing Query Interface
4775897 events for the ipmp anonymous group should be just like named groups
 
(from 119446-02)
 
4157198 ARP cache inconsistency between arp and ip modules
4978063 SO_DONTROUTE option causes ARP traffic for every frame
 
(from 119446-01)
 
6214946 publishing an arp entry causes source Ether Addr issue
 
(from 114859-04)
 
6313308 S9 UDP anonymous port assigned used/unavailable ports
 
(from 114859-03)
 
4708720 TCP/UDP make unwarranted ICMP M_CTL assumptions
 
(from 114859-02)
 
6251862 invalid UDP length and checksum
 
(from 114859-01)
 
4727825 local bound port hashing does not work effectively on Intel systems
 
(from 117470-09)
 
6521112 data corruption may occur when packet with invalid timestamp value is sent
 
(from 117470-08)
 
6395540 system hangs when we send one urgent Byte beyond zero send window
 
(from 117470-07)
 
4708720 TCP/UDP make unwarranted ICMP M_CTL assumptions
5084452 ICMP can snipe away incipient TCP connections
6354773 some changes made by 5084452 do not work with x86
 
(from 117470-06)
 
4511681 TCP vulnerable to Denial Of Service via "ACK storm"
 
(from 117470-05)
 
6276464 reads on a tcp endpoint with synchronous streams can return extents of the input buffer unmodified
 
(from 117470-04)
 
6259389 race condition between cl_tcp_walk_list() and connection establishment
 
(from 117470-03)
 
5094229 driver hangs when accessing tt_open
 
(from 117470-02)
 
4846184 slow receiving process causes timer based ACKing
 
(from 117470-01)
 
5089150 binding to a port which has already been bound may incorrectly succeed

Revision History: 

119435-12 119435-16 114925-07 119435-05 119435-22 119435-11 119435-18 114859-04 119435-06 119435-20 119435-10 119435-21 119435-09 119435-19 119435-03 119435-14 117470-09 119435-04 115015-01 119435-15 115013-01 119435-01

Patch Installation Instructions: 

--------------------------------
 
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.

Special Install Instructions: 

-----------------------------
 
Not all patches listed in this section as needed for the completion
of a fix or feature, may be available at the same time as this patch.
This allows the remaining fixes/features to be made available sooner.
 
NOTE 1:  Perform patch installation in single user mode.
         Perform a reconfiguration boot, boot -r, after patch installation.
 
NOTE 2:  To get the complete fix for bug 4837086 (CMSG_FIRSTHDR should return
         NULL when controllen == 0), please also install the following patches:
 
         114348-05 (or greater)  in.routed patch
         114442-02 (or greater)  ifconfig patch
         116018-02 (or greater)  in.ndpd patch
         116507-02 (or greater)  traceroute patch
         116775-01 (or greater)  ping patch
         116777-01 (or greater)  mipagent patch
         116779-01 (or greater)  in.ripngd patch
 
NOTE 3:  Installing this patch will permanently move /sbin/in.mpathd to
         the new location /usr/lib/inet/in.mpathd.  /sbin/in.mpathd will
         then be replaced by a symlink to this new location.
         Backing this patch out will restore the original in.mpathd binary,
         but the positional change described above will not be undone.
 
NOTE 4:  To get the complete fix for bug 4796820 (IPMP starts outgoing traffic
         on failed interface with option FAILBACK=no), please also install the
         following patch:
 
         122674-01 (or greater)  sockio.h header patch
 
NOTE 5:  To get the complete fix for 6176096 (DoS attack on IP fragment
         handling), please also install the following patch:
 
         122301-04 (or greater)  kernel patch
 
NOTE 6:  To get the complete fix for bug 4708720 (TCP/UDP make unwarranted
         ICMP M_CTL assumptions), please also install the following patch:
 
         117470-07 (or greater)  tcp patch
         114859-03 (or greater)  udp patch
 
NOTE 7:  To get the complete fix the bug 6402737 ( IP spends too much time
         identifying bad remote host when under SYN attack), please also
         install the following patches:
 
         122301-25 (or greater)  Kernel Patch

README -- Last modified date:  Tuesday, July 29, 2008