From owner-cvs-src-old@FreeBSD.ORG Mon Jun 20 18:08:48 2011 Return-Path: Delivered-To: cvs-src-old@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FBD3106566C for ; Mon, 20 Jun 2011 18:08:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id E8A2A8FC17 for ; Mon, 20 Jun 2011 18:08:47 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id p5KI8lIZ007473 for ; Mon, 20 Jun 2011 18:08:47 GMT (envelope-from jhb@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.4/8.14.4/Submit) id p5KI8ltB007472 for cvs-src-old@freebsd.org; Mon, 20 Jun 2011 18:08:47 GMT (envelope-from jhb@repoman.freebsd.org) Message-Id: <201106201808.p5KI8ltB007472@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to jhb@repoman.freebsd.org using -f From: John Baldwin Date: Mon, 20 Jun 2011 18:08:34 +0000 (UTC) To: cvs-src-old@freebsd.org X-FreeBSD-CVS-Branch: RELENG_8 Subject: cvs commit: src/sys/netinet tcp_input.c tcp_output.c tcp_timewait.c X-BeenThere: cvs-src-old@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2011 18:08:48 -0000 jhb 2011-06-20 18:08:34 UTC FreeBSD src repository Modified files: (Branch: RELENG_8) sys/netinet tcp_input.c tcp_output.c tcp_timewait.c Log: SVN rev 223343 on 2011-06-20 18:08:34Z by jhb MFC 221346,223049: Handle a rare edge case with nearly full TCP receive buffers. If a TCP buffer fills up causing the remote sender to enter into persist mode, but there is still room available in the receive buffer when a window probe arrives (either due to window scaling, or due to the local application very slowing draining data from the receive buffer), then the single byte of data in the window probe is accepted. However, this can cause rcv_nxt to be greater than rcv_adv. This condition will only last until the next ACK packet is pushed out via tcp_output(), and since the previous ACK advertised a zero window, the ACK should be pushed out while the TCP pcb is write-locked. To guarantee this, advance the advertised window (rcv_adv) even if we advertise a zero window. During the window while rcv_nxt is greather than rcv_adv, a few places would compute the remaining receive window via rcv_adv - rcv_nxt. However, this value was then (uint32_t)-1. On a 64 bit machine this could expand to a positive 2^32 - 1 when cast to a long. In particular, when calculating the receive window in tcp_output(), the result would be that the receive window was computed as 2^32 - 1 resulting in advertising a far larger window to the remote peer than actually existed. Fix various places that compute the remaining receive window to either assert that it is not negative (i.e. rcv_nxt <= rcv_adv), or treat the window as full if rcv_nxt is greather than rcv_adv. Revision Changes Path 1.411.2.17 +7 -1 src/sys/netinet/tcp_input.c 1.164.2.13 +13 -6 src/sys/netinet/tcp_output.c 1.307.2.6 +3 -0 src/sys/netinet/tcp_timewait.c