From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar 29 00:00:01 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 3209B573
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 29 Mar 2013 00:00:01 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 19246BF5
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 29 Mar 2013 00:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2T000CG091125
 for <freebsd-bugs@freefall.freebsd.org>; Fri, 29 Mar 2013 00:00:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2T000iB091102;
 Fri, 29 Mar 2013 00:00:00 GMT (envelope-from gnats)
Resent-Date: Fri, 29 Mar 2013 00:00:00 GMT
Resent-Message-Id: <201303290000.r2T000iB091102@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 HouYeFei&XiBoLiu <lglion718@163.com>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 5A5C1540
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Mar 2013 23:55:05 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
 by mx1.freebsd.org (Postfix) with ESMTP id 31BDEBDD
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Mar 2013 23:55:05 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
 by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r2SNt4SW071111
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Mar 2013 23:55:04 GMT
 (envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
 by red.freebsd.org (8.14.5/8.14.5/Submit) id r2SNt4KM071110;
 Thu, 28 Mar 2013 23:55:04 GMT (envelope-from nobody)
Message-Id: <201303282355.r2SNt4KM071110@red.freebsd.org>
Date: Thu, 28 Mar 2013 23:55:04 GMT
From: HouYeFei&XiBoLiu <lglion718@163.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/177456: An error of calculating TCP sequence number will resault
 in the machine to restart
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 00:00:01 -0000


>Number:         177456
>Category:       misc
>Synopsis:       An error of calculating TCP sequence number will resault in the machine to restart
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 29 00:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     HouYeFei&XiBoLiu
>Release:        FreeBSD-9.0
>Organization:
H3C
>Environment:
FreeBSD www.unixnotes.net 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Sun May  4 12:36:15 HKT 2012     root@www.unixnotes.net:/usr/src/sys/i386/compile/unixnotes  i386
>Description:
There is  a large number of TCP links between  Client and Server, each link can transmit large amounts of data. When the Client is low on memory, at the same time it wants  to establish a new  TCP connection to the server. The Client sends SYN message and startups retransmission timer, but retransmission of the first time

sends failed because there is not enough mbuf.At this time, a sequence number is transmitted messages on the tcpcb (tp->snd_nxt) regression. Then

a syn+ack message is received and processing the tp->snd_una sequence number is increased by 1, resault in tp->snd_nxt < th->snd_una. It is likely that 

the sending buffer has data to send, but actually is empty, call

Tcp_output to send ack to the Server. But Tcp_output enter to the mbuf replication process, leading to access a null pointer.
>How-To-Repeat:
Make Client and Server to create a large number of TCP links. The system of the Client is FreeBSD9.0.
>Fix:
Please read the patch file

Patch attached with submission follows:


	case TCPS_SYN_SENT:
		        /* Do window scaling on this connection? */
			if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
				(TF_RCVD_SCALE|TF_REQ_SCALE)) {
				tp->rcv_scale = tp->request_r_scale;
			}
			tp->rcv_adv += imin(tp->rcv_wnd,
			    TCP_MAXWIN << tp->rcv_scale);
			tp->snd_una++;		/* SYN is acked */



the begin of modification:
			if (SEQ_LT(tp->snd_nxt, tp->snd_una))
			{
				tp->snd_nxt = tp->snd_una;
			}
the end of modification:




			/*
			 * If there's data, delay ACK; if there's also a FIN
			 * ACKNOW will be turned on later.
			 */
			if (DELAY_ACK(tp) && tlen != 0)
				tcp_timer_activate(tp, TT_DELACK,
				    tcp_delacktime);
			else
				tp->t_flags |= TF_ACKNOW;

			


>Release-Note:
>Audit-Trail:
>Unformatted: