From nobody Sun Oct  5 13:32:04 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cfjxJ6VStz69vKx;
	Sun, 05 Oct 2025 13:32:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cfjxJ5k2bz3tyb;
	Sun, 05 Oct 2025 13:32:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1759671124;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b3psnGyO5cOklFoA4DspdXlFog/DMLCPzTiZumSgMFM=;
	b=U6ySxJRhfYCV7yLCB05x+OtvdEKm1wbm42pU8ugnlv71L4drO+8cUHw6f+uso4+wDJmAY+
	c6bfYo3eLXdeHUiunpXv18KM0PLIkRHghRP94NSXdYhLmTtE4s5pNdEmBnozgkjYnfzhAp
	T/DQIPOko0RUigc9XbpztlqBXv+L5QN4OPf7NQWTbo+hT3hYI4cCFGMv8s/lX6C3df6bru
	U4EO2hRF+RQfxzq4SiqaQRszW1RcTowAy39t+v8YGoZPcsIZCJGkX97PRL4uaJ5M+GasT7
	rLAeLLDpbQp1T98OFNDcX8fOPFXfxM6JML4r+mGcDMdTUn5BDrV3wpFsTkb+1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1759671124;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b3psnGyO5cOklFoA4DspdXlFog/DMLCPzTiZumSgMFM=;
	b=DogNdS07nfM2o+Aoq9dIUGi6q+PD+/EO1vDG5LFaCBogg2/zpnPRrCdMV4DKy9mqFYl/N9
	jILiv4GGqiLpHrQDkB2wiIbuQjbMdLSRk9LihTzwmM5mk5qVDHXRw8IZvpLCQ9h09XCMhZ
	8M8wWWvHPNQrS5QRrOwfv7hhbaaWREHKSyNBgBb7m2oiQ1mdP7cpzN7+O/eg6m+GlZOj8F
	To0E8cV6/qRuNY07RVZ8HWHde9u2VSHCw539ge3VexbnQ3zk6h2oXLHsCGGitXz0HZ8HPW
	1Ae8FfypAkMtip6JKphVshd4RHCk81EixfNNVBtnYVY/ZWoEIFx9LY5uZ1Kimw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759671124; a=rsa-sha256; cv=none;
	b=em2Op7oWE4jb7SPhQEg5ao4pPxRYGp0bNQi2WF+8pi+kejFu8sN3FqokWVufeNgfV3QuYO
	KgPU4RjOlOgzG/8AbAZqvnqfB5euaFWSPKUhlMg1gNbFh+dLksrxdNhOpwAnb2ti69H4Pq
	0wj+QQbXNDxqVpMXzDKfdCzxle0NpNjkauyJUTkTZU6+oLShP1TaF3leoa1Pgsd2c7XPsh
	ScCVD+2fZqYKwlY9INO8OjcS0zJvSVuLECCmrsFkiQFi7o35CpeHXxq/dfNj45rMp9IDJl
	y26EHbHk5G3dafQhV5VbPDJeGrgl+NXxNXqrHaWkU7aiJKFxv2K15l9hX1LRLA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cfjxJ4jrbzTn;
	Sun, 05 Oct 2025 13:32:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 595DW4EV012128;
	Sun, 5 Oct 2025 13:32:04 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 595DW4g8012125;
	Sun, 5 Oct 2025 13:32:04 GMT
	(envelope-from git)
Date: Sun, 5 Oct 2025 13:32:04 GMT
Message-Id: <202510051332.595DW4g8012125@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: f846f0cc6002 - stable/15 - tcp: improve segment
  validation in SYN-RECEIVED
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: f846f0cc600236409e187c44481f68597b95f8ce
Auto-Submitted: auto-generated

The branch stable/15 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=f846f0cc600236409e187c44481f68597b95f8ce

commit f846f0cc600236409e187c44481f68597b95f8ce
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2025-10-02 14:51:09 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2025-10-05 13:31:21 +0000

    tcp: improve segment validation in SYN-RECEIVED
    
    The validation of SEG.SEQ (first step in SEGMENT ARRIVES of RFC 9293)
    should be done before the validation of SEG.ACK (fifth step in
    SEGMENT ARRIVES in RFC 9293).
    Furthermore, when the SEG.SEQ validation fails, a challenge ACK
    should be sent instead of sending a RST-segment and moving the
    endpoint to CLOSED.
    
    Reported by:            Tilnel on freebsd-net
    Reviewed by:            Nick Banks
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D52849
    
    (cherry picked from commit b7118461f9099876cb2c2923948f8fb647defd57)
---
 sys/netinet/tcp_syncache.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 778ab0583735..7f842512858d 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1258,19 +1258,6 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 			}
 		}
 
-		/*
-		 * SEG.ACK validation:
-		 * SEG.ACK must match our initial send sequence number + 1.
-		 */
-		if (th->th_ack != sc->sc_iss + 1) {
-			SCH_UNLOCK(sch);
-			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
-				log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, "
-				    "segment rejected\n",
-				    s, __func__, th->th_ack, sc->sc_iss + 1);
-			goto failed;
-		}
-
 		/*
 		 * SEG.SEQ validation:
 		 * The SEG.SEQ must be in the window starting at our
@@ -1278,11 +1265,26 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 		 */
 		if (SEQ_LEQ(th->th_seq, sc->sc_irs) ||
 		    SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
-			SCH_UNLOCK(sch);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, "
-				    "segment rejected\n",
+				    "sending challenge ACK\n",
 				    s, __func__, th->th_seq, sc->sc_irs + 1);
+			syncache_send_challenge_ack(sc, m);
+			SCH_UNLOCK(sch);
+			free(s, M_TCPLOG);
+			return (-1);  /* Do not send RST */;
+		}
+
+		/*
+		 * SEG.ACK validation:
+		 * SEG.ACK must match our initial send sequence number + 1.
+		 */
+		if (th->th_ack != sc->sc_iss + 1) {
+			SCH_UNLOCK(sch);
+			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
+				log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, "
+				    "segment rejected\n",
+				    s, __func__, th->th_ack, sc->sc_iss + 1);
 			goto failed;
 		}