Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Oct 2025 08:00:15 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 41e9c68d9ac1 - stable/15 - tcp: improve SEG.ACK validation in SYN-RECEIVED
Message-ID:  <202510090800.59980FGd051912@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/15 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=41e9c68d9ac186381163bdce05bbd7a1c9925661

commit 41e9c68d9ac186381163bdce05bbd7a1c9925661
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2025-10-06 20:39:31 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2025-10-09 07:59:49 +0000

    tcp: improve SEG.ACK validation in SYN-RECEIVED
    
    According to the fifth step in SEGMENT ARRIVES, send a RST segment in
    response to an ACK segment which fails the SEG.ACK check, but leave
    the endpoint state unchanged.
    FreeBSD handles this correctly when entering the SYN-RECEIVED state via
    the SYN-SENT state, but not in the SYN-cache code, which handles the
    SYN-RECEIVED state via the LISTEN state.
    
    This also fixes a panic reported by Alexander Leidinger.
    
    Reviewed by:            jtl, glebius
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D52934
    
    (cherry picked from commit 8af2f06a99b10c0d3ab9021949e750852662672a)
---
 sys/netinet/tcp_syncache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 2bb99596f965..1fb6104a2944 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1285,7 +1285,8 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 				    "segment rejected\n",
 				    s, __func__, th->th_ack, sc->sc_iss + 1);
 			SCH_UNLOCK(sch);
-			goto failed;
+			free(s, M_TCPLOG);
+			return (0);  /* Do send RST, do not free sc. */;
 		}
 
 		TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510090800.59980FGd051912>