From owner-freebsd-net@FreeBSD.ORG Fri Nov 21 18:56:46 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25B8A1065675; Fri, 21 Nov 2008 18:56:46 +0000 (UTC) (envelope-from Hartmut.Brandt@dlr.de) Received: from smtp-3.dlr.de (smtp-3.dlr.de [195.37.61.187]) by mx1.freebsd.org (Postfix) with ESMTP id AAAC98FC28; Fri, 21 Nov 2008 18:56:45 +0000 (UTC) (envelope-from Hartmut.Brandt@dlr.de) Received: from [192.168.2.100] ([172.21.151.1]) by smtp-3.dlr.de with Microsoft SMTPSVC(6.0.3790.1830); Fri, 21 Nov 2008 19:56:43 +0100 Message-ID: <4927045A.8020805@dlr.de> Date: Fri, 21 Nov 2008 19:56:26 +0100 From: Hartmut Brandt User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: Andre Oppermann References: <491F2C47.4050500@dlr.de> <0A4BB2F1-AC9F-4316-94E3-790E2D80F651@freebsd.org> <49201859.2080605@dlr.de> <4921B3C6.5020002@freebsd.org> <4921F2CD.503@freebsd.org> <20081119234543.A90462@beagle.kn.op.dlr.de> <49255D5B.5040303@freebsd.org> In-Reply-To: <49255D5B.5040303@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Nov 2008 18:56:43.0642 (UTC) FILETIME=[E5415DA0:01C94C0A] Cc: freebsd-net@freebsd.org, bz@freebsd.org, Harti Brandt , Rui Paulo Subject: Re: TCP and syncache question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 18:56:46 -0000 Andre Oppermann wrote: > Harti Brandt wrote: >> Hi Andre, >> >> On Mon, 17 Nov 2008, Andre Oppermann wrote: >> >> AO>This is a bit more complicated because of interactions with >> tcp_input() >> AO>where syncache_expand() is called from. >> AO> >> AO>The old code (as of December 2002) behaved slightly different. It >> would >> AO>not remove the syncache entry when (SND.UNA == SEG.ACK) but send a >> RST. >> AO>The (RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND) test wasn't >> done at >> AO>all. Instead a socket was opened whenever (SND.UNA == SEG.ACK) >> succeeded. >> AO>This gave way to the "LAND" DoS attack which was mostly fixed with >> a test >> AO>for (RCV.IRS < SEG.SEQ). >> AO> >> AO>See the attached patch for fixed version of syncache_expand(). >> This patch >> AO>is untested though. My development machine is currently down. >> Harti, Rui >> AO>and Bjoern, please have a look at the patch and review it. >> >> Some small problems: > ... >> Need another cast here: *lsop = (struct socket *)1. > > Changed the logic to use a NULL *lsop to differentiate in tcp_input(). > Much simpler. Turns out there is a bug in the patch: after the call to syncache_lookup() at test sc == NULL is made and if sc == NULL and may goto sendrst: sendrst: if (sc != &scs) syncache_free(sc); Here syncache_free panics because of the NULL passed to it. I suppose both gotos under the if() should go to sendrstkeep instead. harti