From owner-freebsd-bugs@FreeBSD.ORG  Sat May 24 08:00:02 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5A6481065672
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 24 May 2008 08:00:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A08E8FC18
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 24 May 2008 08:00:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4O802tF058559
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 24 May 2008 08:00:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4O802OX058558;
	Sat, 24 May 2008 08:00:02 GMT (envelope-from gnats)
Resent-Date: Sat, 24 May 2008 08:00:02 GMT
Resent-Message-Id: <200805240800.m4O802OX058558@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	wang jin <wangjin@myhexin.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B85ED106566B
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 24 May 2008 07:57:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id BF7438FC15
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 24 May 2008 07:57:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m4O7u2Ev008148
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 May 2008 07:56:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m4O7u2BP008147;
	Sat, 24 May 2008 07:56:02 GMT (envelope-from nobody)
Message-Id: <200805240756.m4O7u2BP008147@www.freebsd.org>
Date: Sat, 24 May 2008 07:56:02 GMT
From: wang jin <wangjin@myhexin.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/123950: TH_RST packet sended if received out-of-order data
	(ACK) in SYN_RECEIVED state 
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 May 2008 08:00:02 -0000


>Number:         123950
>Category:       kern
>Synopsis:       TH_RST packet sended if received out-of-order data (ACK) in SYN_RECEIVED state
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 24 08:00:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     wang jin
>Release:        FreeBSD 7.0
>Organization:
Hexin
>Environment:
FreeBSD cachemd 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Fri Mar 28 02:16:39 CST 2008     root@cachemd:/usr/src/sys/i386/compile/mykernel  i386
>Description:
TH_RST packet sended if received out-of-order data (ACK) in SYN_RECEIVED state:

tcpdump -iem0 -n host 211.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
15:35:55.354254 IP 211.1.1.1.6056 > 192.168.0.199.80: S 891246588:891246588(0) win 32768 <mss 1380,wscale 0,nop>
15:35:55.354503 IP 192.168.0.199.80 > 211.1.1.1.6056: S 2752342465:2752342465(0) ack 891246589 win 65535 <mss 1380>
15:35:56.359624 IP 211.1.1.1.6056 > 192.168.0.199.80: P 1381:1481(100) ack 1 win 32768
15:35:56.359806 IP 192.168.0.199.80 > 211.1.1.1.6056: R 2752342466:2752342466(0) win 0
15:35:57.366606 IP 211.1.1.1.6056 > 192.168.0.199.80: P 1:1381(1380) ack 1 win 32768
15:35:57.466694 IP 192.168.0.199.80 > 211.1.1.1.6056: . ack 1381 win 65535

Although TH_RST packet is sended, the connection state is ESTABLISHED
netstat -n | grep 211.1.1.1
tcp4       0      0  192.168.0.199.80       211.1.1.1.6056         ESTABLISHED



>How-To-Repeat:
the problem occurs when the first packet contained ACK from client is lost, or is out of order
>Fix:
the problem is caused by the following code(line 892,tcp_syncache.c):

        /*
         * The SEQ must match the received initial receive sequence
         * number + 1 (the SYN) because we didn't ACK any data that
         * may have come with the SYN.
         */
        if (th->th_seq != sc->sc_irs + 1) {
                if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
                        log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, segment "
                            "rejected\n", s, __func__, th->th_seq, sc->sc_irs);
                goto failed;
        }



>Release-Note:
>Audit-Trail:
>Unformatted: