From owner-freebsd-bugs  Thu Mar 22  0:50:13 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1EF5337B722
	for <freebsd-bugs@hub.freebsd.org>; Thu, 22 Mar 2001 00:50:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f2M8o1V16953;
	Thu, 22 Mar 2001 00:50:01 -0800 (PST)
	(envelope-from gnats)
Received: from hell.branda.to (61-216-80-11.HINET-IP.hinet.net [61.216.80.11])
	by hub.freebsd.org (Postfix) with ESMTP id 71C0D37B71D
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 22 Mar 2001 00:48:09 -0800 (PST)
	(envelope-from thinker@branda.to)
Received: from localhost (localhost [127.0.0.1])
  (uid 1000)
  by hell.branda.to with local; Thu, 22 Mar 2001 16:50:53 +0000
Message-Id: <20010322165052.A46012@hell.branda.to>
Date: Thu, 22 Mar 2001 16:50:53 +0000
From: thinker <thinker@branda.to>
To: FreeBSD-gnats-submit@freebsd.org
In-Reply-To: <courier.3ABA2BFA.0000B3A7@hell.branda.to>; from  on Thu, Mar 22, 2001 at 04:44:42PM +0000
References: <courier.3ABA2BFA.0000B3A7@hell.branda.to>
Subject: kern/25986: Socket would hang at LAST_ACK forever.
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         25986
>Category:       kern
>Synopsis:       Socket would hang at LAST_ACK forever.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 22 00:50:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     thinker
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD hell.branda.to 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Wed Mar 7 20:41:54 GMT 2001 thinker@hell.branda.to:/usr/src/sys/compile/thk i386


	
>Description:
	When TCP socket goes to LAST_ACK state & remote host do not respone
ACK forever, socket would stay at LAST_ACK forever and never be removed.
It would be a bug expolit by DDoS attacker. Patch file to fix the problem
is following.
>How-To-Repeat:
	
>Fix:
--- sys/netinet/tcp_usrreq.c.orig	Thu Mar 22 14:59:45 2001
+++ sys/netinet/tcp_usrreq.c	Thu Mar 22 15:04:49 2001
@@ -1139,13 +1139,15 @@
 		tp->t_state = TCPS_LAST_ACK;
 		break;
 	}
-	if (tp && tp->t_state >= TCPS_FIN_WAIT_2) {
+	if (tp && tp->t_state >= TCPS_FIN_WAIT_2)
 		soisdisconnected(tp->t_inpcb->inp_socket);
-		/* To prevent the connection hanging in FIN_WAIT_2 forever. */
-		if (tp->t_state == TCPS_FIN_WAIT_2)
-			callout_reset(tp->tt_2msl, tcp_maxidle,
-				      tcp_timer_2msl, tp);
-	}
+	/*
+	 * To prevent the connection hanging in FIN_WAIT_2 &
+	 * TCPS_LAST_ACK forever.
+	 */
+	if (tp->t_state == TCPS_FIN_WAIT_2 || tp->t_state == TCPS_LAST_ACK)
+		callout_reset(tp->tt_2msl, tcp_maxidle,
+			      tcp_timer_2msl, tp);
 	return (tp);
 }
 

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message