Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Mar 2011 16:15:57 -0400
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-net@freebsd.org
Cc:        sec@42.org, Doug Barton <dougb@freebsd.org>
Subject:   Re: The tale of a TCP bug
Message-ID:  <201103241615.57852.jhb@freebsd.org>
In-Reply-To: <201103241551.14405.jhb@freebsd.org>
References:  <4D8B99B4.4070404@FreeBSD.org> <201103241551.14405.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday, March 24, 2011 3:51:14 pm John Baldwin wrote:
> On Thursday, March 24, 2011 3:21:24 pm Doug Barton wrote:
> > http://blogmal.42.org/tidbits/tcp-bug.story
> > 
> > $someone really needs to take a look at this. :)
> 
> This is the same bug I reported back in February in this e-mail:
> 
> http://lists.freebsd.org/pipermail/freebsd-net/2011-February/027892.html
> 
> His patch may be the more correct fix though.  I have two other TCP bugs also
> awaiting review that I posted on the same day.

Actually, I retract that a bit.  I saw the problem with window updates for an
established connection and his proposed change doesn't cover that.  Also, I
think the root problem is that tp->rcv_wnd is calculated incorrectly in this
case.  However, I'd be curious to see if the patch from my original e-mail
fixes the issue first.  Otherwise, something like this may apply instead:

Index: tcp_input.c
===================================================================
--- tcp_input.c	(revision 219911)
+++ tcp_input.c	(working copy)
@@ -1694,7 +1694,10 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th,
 	win = sbspace(&so->so_rcv);
 	if (win < 0)
 		win = 0;
-	tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
+	if (SEQ_GEQ(tp->rcv_adv, tp->rcv_nxt))
+		tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt));
+	else
+		tp->rcv_wnd = win;
 
 	/* Reset receive buffer auto scaling when not in bulk receive mode. */
 	tp->rfbuf_ts = 0;

I think that will fix tp->rcv_wnd to be correct in this case thus fixing
further uses of it.

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103241615.57852.jhb>