From owner-freebsd-net@FreeBSD.ORG Thu Mar 24 23:02:36 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7802A1065691; Thu, 24 Mar 2011 23:02:36 +0000 (UTC) (envelope-from sec@42.org) Received: from ice.42.org (v6.42.org [IPv6:2001:608:9::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2C5448FC18; Thu, 24 Mar 2011 23:02:36 +0000 (UTC) Received: by ice.42.org (Postfix, from userid 1000) id 1FCFC2841D; Fri, 25 Mar 2011 00:02:35 +0100 (CET) Date: Fri, 25 Mar 2011 00:02:35 +0100 From: Stefan `Sec` Zehl To: John Baldwin Message-ID: <20110324230235.GB90901@ice.42.org> X-Current-Backlog: 3848 messages References: <4D8B99B4.4070404@FreeBSD.org> <201103241551.14405.jhb@freebsd.org> <201103241615.57852.jhb@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201103241615.57852.jhb@freebsd.org> User-Agent: Mutt/1.4.2.3i I-love-doing-this: really X-Modeline: vim:set ts=8 sw=4 smarttab tw=72 si noic notitle: Accept-Languages: de, en X-URL: http://sec.42.org/ Cc: freebsd-net@freebsd.org, Doug Barton Subject: Re: The tale of a TCP bug X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2011 23:02:36 -0000 Hi, I just subscribed to this list, so sorry if I missed some previous discussion on this. On Thu, Mar 24, 2011 at 16:15 -0400, John Baldwin wrote: [...] > Otherwise, something like this may apply instead: > > Index: tcp_input.c > =================================================================== > --- tcp_input.c (revision 219911) > +++ tcp_input.c (working copy) > @@ -1694,7 +1694,10 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, > win = sbspace(&so->so_rcv); > if (win < 0) > win = 0; > - tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); > + if (SEQ_GEQ(tp->rcv_adv, tp->rcv_nxt)) > + tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); > + else > + tp->rcv_wnd = win; > > /* Reset receive buffer auto scaling when not in bulk receive mode. */ > tp->rfbuf_ts = 0; > > I think that will fix tp->rcv_wnd to be correct in this case thus fixing > further uses of it. I just quickly tested it on my bug scenario, and it still generates adv=-1 in tcp_output That is because win=65536, which is bigger than the actually advertised window (65535, the max that can be advertised without window scaling). CU, Sec -- To paraphrase RFC1925: Time, talent, willingness: Pick any two.