From owner-freebsd-net@FreeBSD.ORG Thu Mar 24 20:15:59 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B59A106564A; Thu, 24 Mar 2011 20:15:59 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 12C538FC16; Thu, 24 Mar 2011 20:15:59 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id BA82346B52; Thu, 24 Mar 2011 16:15:58 -0400 (EDT) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 52CDE8A01B; Thu, 24 Mar 2011 16:15:58 -0400 (EDT) From: John Baldwin To: freebsd-net@freebsd.org Date: Thu, 24 Mar 2011 16:15:57 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110311; KDE/4.5.5; amd64; ; ) References: <4D8B99B4.4070404@FreeBSD.org> <201103241551.14405.jhb@freebsd.org> In-Reply-To: <201103241551.14405.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201103241615.57852.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (bigwig.baldwin.cx); Thu, 24 Mar 2011 16:15:58 -0400 (EDT) Cc: sec@42.org, Doug Barton Subject: Re: The tale of a TCP bug X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2011 20:15:59 -0000 On Thursday, March 24, 2011 3:51:14 pm John Baldwin wrote: > On Thursday, March 24, 2011 3:21:24 pm Doug Barton wrote: > > http://blogmal.42.org/tidbits/tcp-bug.story > > > > $someone really needs to take a look at this. :) > > This is the same bug I reported back in February in this e-mail: > > http://lists.freebsd.org/pipermail/freebsd-net/2011-February/027892.html > > His patch may be the more correct fix though. I have two other TCP bugs also > awaiting review that I posted on the same day. Actually, I retract that a bit. I saw the problem with window updates for an established connection and his proposed change doesn't cover that. Also, I think the root problem is that tp->rcv_wnd is calculated incorrectly in this case. However, I'd be curious to see if the patch from my original e-mail fixes the issue first. Otherwise, something like this may apply instead: Index: tcp_input.c =================================================================== --- tcp_input.c (revision 219911) +++ tcp_input.c (working copy) @@ -1694,7 +1694,10 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, win = sbspace(&so->so_rcv); if (win < 0) win = 0; - tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); + if (SEQ_GEQ(tp->rcv_adv, tp->rcv_nxt)) + tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); + else + tp->rcv_wnd = win; /* Reset receive buffer auto scaling when not in bulk receive mode. */ tp->rfbuf_ts = 0; I think that will fix tp->rcv_wnd to be correct in this case thus fixing further uses of it. -- John Baldwin