From owner-svn-src-releng@freebsd.org Wed Jan 9 18:42:41 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22542148A39C; Wed, 9 Jan 2019 18:42:41 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B876A6E757; Wed, 9 Jan 2019 18:42:40 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 91140200B0; Wed, 9 Jan 2019 18:42:40 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x09Igevv009455; Wed, 9 Jan 2019 18:42:40 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x09Ige51009454; Wed, 9 Jan 2019 18:42:40 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201901091842.x09Ige51009454@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 9 Jan 2019 18:42:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r342894 - releng/12.0/sys/netinet X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: releng/12.0/sys/netinet X-SVN-Commit-Revision: 342894 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: B876A6E757 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.958,0]; NEURAL_HAM_LONG(-1.00)[-0.998,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2019 18:42:41 -0000 Author: emaste Date: Wed Jan 9 18:42:40 2019 New Revision: 342894 URL: https://svnweb.freebsd.org/changeset/base/342894 Log: MFS12 r342378: Fix a regression in the TCP handling of received segments. When receiving TCP segments the stack protects itself by limiting the resources allocated for a TCP connections. This patch adds an exception to these limitations for the TCP segement which is the next expected in-sequence segment. Without this patch, TCP connections may stall and finally fail in some cases of packet loss. Approved by: so Security: FreeBSD-EN-19:02.tcp Modified: releng/12.0/sys/netinet/tcp_reass.c Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/netinet/tcp_reass.c ============================================================================== --- releng/12.0/sys/netinet/tcp_reass.c Wed Jan 9 18:38:35 2019 (r342893) +++ releng/12.0/sys/netinet/tcp_reass.c Wed Jan 9 18:42:40 2019 (r342894) @@ -579,7 +579,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq */ lenofoh = tcp_reass_overhead_of_chain(m, &mlast); sb = &tp->t_inpcb->inp_socket->so_rcv; - if ((sb->sb_mbcnt + tp->t_segqmbuflen + lenofoh) > sb->sb_mbmax) { + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && + (sb->sb_mbcnt + tp->t_segqmbuflen + lenofoh) > sb->sb_mbmax) { /* No room */ TCPSTAT_INC(tcps_rcvreassfull); #ifdef TCP_REASS_COUNTERS @@ -588,6 +589,11 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq #ifdef TCP_REASS_LOGGING tcp_log_reassm(tp, NULL, NULL, th->th_seq, lenofoh, TCP_R_LOG_LIMIT_REACHED, 0); #endif + if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) { + log(LOG_DEBUG, "%s; %s: mbuf count limit reached, " + "segment dropped\n", s, __func__); + free(s, M_TCPLOG); + } m_freem(m); *tlenp = 0; #ifdef TCP_REASS_LOGGING @@ -936,6 +942,20 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq * is understood. */ new_entry: + if (th->th_seq == tp->rcv_nxt && TCPS_HAVEESTABLISHED(tp->t_state)) { + tp->rcv_nxt += *tlenp; + flags = th->th_flags & TH_FIN; + TCPSTAT_INC(tcps_rcvoopack); + TCPSTAT_ADD(tcps_rcvoobyte, *tlenp); + SOCKBUF_LOCK(&so->so_rcv); + if (so->so_rcv.sb_state & SBS_CANTRCVMORE) { + m_freem(m); + } else { + sbappendstream_locked(&so->so_rcv, m, 0); + } + sorwakeup_locked(so); + return (flags); + } if (tcp_new_limits) { if ((tp->t_segqlen > tcp_reass_queue_guard) && (*tlenp < MSIZE)) { @@ -960,9 +980,7 @@ new_entry: return (0); } } else { - - if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && - tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, + if (tp->t_segqlen >= min((so->so_rcv.sb_hiwat / tp->t_maxseg) + 1, tcp_reass_maxqueuelen)) { TCPSTAT_INC(tcps_rcvreassfull); *tlenp = 0;