From nobody Sun Oct  5 13:26:01 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cfjpL1Wm7z69tTm;
	Sun, 05 Oct 2025 13:26:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cfjpK6ZxZz3tCB;
	Sun, 05 Oct 2025 13:26:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1759670761;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VWJxwT8eT/EcFHzqPevizKdvDpWgWpoJigvwm6mzOSM=;
	b=f1DlK8uzsw+lnZx1ZC8Fklwy2ikVX/SLCSgGUU8gzu0WKFNpuIp3ShWwr6R+OUBfLTdGP6
	1qZTCYTicQTXlIloOabm5tgTXJ/sexKTpmHHffaLeguUkBlU3qmBPYE3FDbg06P2i/RvAE
	MnGQ9CC3a4gSrMVHyuqIy7zeyr2r4UILcHe4ge4ZVk5i9rWe7iL0PgC9azXNAk+dET3Ajb
	hE438mhXzgHxL+fjY6KzrrJLYRKhGwb/Bqs3g0TZQhU7fwneSitT4zPoOwiYhYNrffLXmc
	N0yhU26BrHNqP0M00mEeK+14hQfHHc/TIfQ1byfN71kbgAt2EUg9tOg1IkrrPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1759670761;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VWJxwT8eT/EcFHzqPevizKdvDpWgWpoJigvwm6mzOSM=;
	b=U/QHk7aY0ic/PAqSz45DtAMQAmY/nxE5QNgHF5C7WArA/4NxzhlfUbRHjJX1BKsUBdwOWl
	Oiw+Qc7AA1pKkBSEUQP5Yf8xmQItr5F356mgmmiA+0gVH5lYWd0OcoQ6MQutNwPNEbXdrx
	bSddHiMIPYCcD2Lml5sfVLIdLmNRM6U+jeenVvQdfLMhbT9X/VTreqsriI5UZH+PV0lcJe
	2Sxo+Hc6YwBZvumK74h76nM5JQTQdBBRvz0ejJb03e8hOpL37uhUyte3TMt8MqhW42B9Hu
	9GHKrnVvGuCnzJJXiAwtxo+2iu2Bfwzdd7xebNpRuh4c86Z1ZziaBIEi7qeM3Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759670761; a=rsa-sha256; cv=none;
	b=kXP0STg0ZwAzVvTkx37s1m7YL/R8V41j/RamGgr1UFn5zES7OaKY4DQ/u20gVvpsLCqWhm
	CMAiWTllf3ogx5H87RICPTe+9N+gcDOOMLo8+ZPRz64LxuGD2Ip/cmkCq7Gn0aYMZ+ZY/+
	1ZNa/fpQqxZgO46Moz5kevheuM6VR4Si8kB7561lCHng+wlNW6DUlfg1T1J2lVZfzKp/71
	GbgUm3AfHjqas33b3h3gmWFqMAlk+6mRst1nNP1mMAQXn1dTexs1+FyLHPl1aJ0sq9eLiH
	TZ3foPet+fwySMTSJHmIAJ2e1uDT03eicpYyzkiXPRp3FTj6F2qnYp5mm+ZrkQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cfjpK60yyzBV;
	Sun, 05 Oct 2025 13:26:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 595DQ1xk094479;
	Sun, 5 Oct 2025 13:26:01 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 595DQ11m094476;
	Sun, 5 Oct 2025 13:26:01 GMT
	(envelope-from git)
Date: Sun, 5 Oct 2025 13:26:01 GMT
Message-Id: <202510051326.595DQ11m094476@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: a7dcd4c2a9fb - stable/14 - tcp: improve segment
  validation in SYN-RECEIVED
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: a7dcd4c2a9fb35cac756db04326827efbaa4589b
Auto-Submitted: auto-generated

The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=a7dcd4c2a9fb35cac756db04326827efbaa4589b

commit a7dcd4c2a9fb35cac756db04326827efbaa4589b
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2025-10-02 14:51:09 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2025-10-05 13:25:35 +0000

    tcp: improve segment validation in SYN-RECEIVED
    
    The validation of SEG.SEQ (first step in SEGMENT ARRIVES of RFC 9293)
    should be done before the validation of SEG.ACK (fifth step in
    SEGMENT ARRIVES in RFC 9293).
    Furthermore, when the SEG.SEQ validation fails, a challenge ACK
    should be sent instead of sending a RST-segment and moving the
    endpoint to CLOSED.
    
    Reported by:            Tilnel on freebsd-net
    Reviewed by:            Nick Banks
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D52849
    
    (cherry picked from commit b7118461f9099876cb2c2923948f8fb647defd57)
---
 sys/netinet/tcp_syncache.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 4ab0d251698c..ee3b9b4994c9 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1265,19 +1265,6 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 			}
 		}
 
-		/*
-		 * SEG.ACK validation:
-		 * SEG.ACK must match our initial send sequence number + 1.
-		 */
-		if (th->th_ack != sc->sc_iss + 1) {
-			SCH_UNLOCK(sch);
-			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
-				log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, "
-				    "segment rejected\n",
-				    s, __func__, th->th_ack, sc->sc_iss + 1);
-			goto failed;
-		}
-
 		/*
 		 * SEG.SEQ validation:
 		 * The SEG.SEQ must be in the window starting at our
@@ -1285,11 +1272,26 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 		 */
 		if (SEQ_LEQ(th->th_seq, sc->sc_irs) ||
 		    SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
-			SCH_UNLOCK(sch);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, "
-				    "segment rejected\n",
+				    "sending challenge ACK\n",
 				    s, __func__, th->th_seq, sc->sc_irs + 1);
+			syncache_send_challenge_ack(sc, m);
+			SCH_UNLOCK(sch);
+			free(s, M_TCPLOG);
+			return (-1);  /* Do not send RST */;
+		}
+
+		/*
+		 * SEG.ACK validation:
+		 * SEG.ACK must match our initial send sequence number + 1.
+		 */
+		if (th->th_ack != sc->sc_iss + 1) {
+			SCH_UNLOCK(sch);
+			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
+				log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, "
+				    "segment rejected\n",
+				    s, __func__, th->th_ack, sc->sc_iss + 1);
 			goto failed;
 		}