From nobody Thu Oct 2 14:54:27 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ccvvm0sn3z69Hh8; Thu, 02 Oct 2025 14:54:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ccvvl71ggz3LJ6; Thu, 02 Oct 2025 14:54:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759416868; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nv9USDPrBHXe6Y/dn93OaryTp1u+MTeUyKmaGV7K+mk=; b=kZlr7IhmOmdjE/7PwNCIq3qy+GaSvm7+FsCXaRPo1zmWKk1CCiWjVxyBT527WD/O6BTtAa mo3oagJE9shyvU37kKSlLQtcckLsF7V2ZaDj//fDaHGee2bZBRAcXaXokEI6T71KXD6bV2 X0qaxxHaNmojMmgYQPkcT1nBSA3FKxrH5fUqq+Vg89SGR8SmWME84DtQX6qV+3NBeO2bSE tv9CX8w1iSaFrObTK/57HP6NLOHfLgihS77WeLfWgqyZgc04r+mX/05VlmIFAmxlHOYmrX SW7hWdDJLpouNZySA+iwksaa36cjNS4xDWetJympZ3C4q9a421vkeFDlhASYIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759416868; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nv9USDPrBHXe6Y/dn93OaryTp1u+MTeUyKmaGV7K+mk=; b=JJlYZiWaEpZqXl8IjX96eVXSBhac6JnNk+x/UKCX3xk2lF19kU0b6bubPQkjQPqdCz/8Kt C3XA3i6VvClU1MWOzPuoCfW1rndb4kVXqlWc0WMZLhBXIDhgUP423san7bU9ptdVh+zejo FCMnudiTlF48nakcOukkgqDevCXZVwfssyy/qUOC9TnQmnH779YVNVVqCr4qF5Qcdzar0D oydpeqw6XV96zCHwXZcPcdFzOuvDCrlZVZRIuyv9Mv0ORuOa3NY65vOj7eGY52cLZibTQ0 B1iEkKqGq597/8uPNtzHsr/455DVopdM4ZSOXIGvYRTOwLhrtqa8j1eNhWo9Nw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759416868; a=rsa-sha256; cv=none; b=IScNKM6YLM0fw4z7yC9NqFgm05DjQ/0/1PvM/ogbs014p6Dld84ZPJq2EAHuSXcXGCCXT2 KBvGgAKAuFj2GL7QHnMiUC6e/4IIondnC0CoL+d6C5AluDIEgJwlJdDet1vzp3E4e8bKl+ CL0Wm5pd4ikoX1o+ZUfLBl2kWSHk1YZ59ujMwSOyUu0lC4/9+eriG68J+dyYtDitzYS6TO 5cZpMUm/3WK4WdCgFid2HbuBuazkSOMWo/7GhyrHybvGxWlKg0NsBiXNKBnXnKXoudNkOp xRAK7yrCsHcECExG4c864AchHzDTHe3IXkQ+d8M9pkXgEzNrvxC0c/tshCyw+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ccvvl6JkZz1Bth; Thu, 02 Oct 2025 14:54:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 592EsRUQ091027; Thu, 2 Oct 2025 14:54:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 592EsRHr091024; Thu, 2 Oct 2025 14:54:27 GMT (envelope-from git) Date: Thu, 2 Oct 2025 14:54:27 GMT Message-Id: <202510021454.592EsRHr091024@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Michael Tuexen Subject: git: b7118461f909 - main - tcp: improve segment validation in SYN-RECEIVED List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b7118461f9099876cb2c2923948f8fb647defd57 Auto-Submitted: auto-generated The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=b7118461f9099876cb2c2923948f8fb647defd57 commit b7118461f9099876cb2c2923948f8fb647defd57 Author: Michael Tuexen AuthorDate: 2025-10-02 14:51:09 +0000 Commit: Michael Tuexen CommitDate: 2025-10-02 14:51:09 +0000 tcp: improve segment validation in SYN-RECEIVED The validation of SEG.SEQ (first step in SEGMENT ARRIVES of RFC 9293) should be done before the validation of SEG.ACK (fifth step in SEGMENT ARRIVES in RFC 9293). Furthermore, when the SEG.SEQ validation fails, a challenge ACK should be sent instead of sending a RST-segment and moving the endpoint to CLOSED. Reported by: Tilnel on freebsd-net Reviewed by: Nick Banks MFC after: 3 days Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D52849 --- sys/netinet/tcp_syncache.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 778ab0583735..7f842512858d 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1258,19 +1258,6 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, } } - /* - * SEG.ACK validation: - * SEG.ACK must match our initial send sequence number + 1. - */ - if (th->th_ack != sc->sc_iss + 1) { - SCH_UNLOCK(sch); - if ((s = tcp_log_addrs(inc, th, NULL, NULL))) - log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, " - "segment rejected\n", - s, __func__, th->th_ack, sc->sc_iss + 1); - goto failed; - } - /* * SEG.SEQ validation: * The SEG.SEQ must be in the window starting at our @@ -1278,11 +1265,26 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, */ if (SEQ_LEQ(th->th_seq, sc->sc_irs) || SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) { - SCH_UNLOCK(sch); if ((s = tcp_log_addrs(inc, th, NULL, NULL))) log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, " - "segment rejected\n", + "sending challenge ACK\n", s, __func__, th->th_seq, sc->sc_irs + 1); + syncache_send_challenge_ack(sc, m); + SCH_UNLOCK(sch); + free(s, M_TCPLOG); + return (-1); /* Do not send RST */; + } + + /* + * SEG.ACK validation: + * SEG.ACK must match our initial send sequence number + 1. + */ + if (th->th_ack != sc->sc_iss + 1) { + SCH_UNLOCK(sch); + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) + log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, " + "segment rejected\n", + s, __func__, th->th_ack, sc->sc_iss + 1); goto failed; }