diff options
| author | jdp <jdp@FreeBSD.org> | 1997-07-01 05:42:16 +0000 |
|---|---|---|
| committer | jdp <jdp@FreeBSD.org> | 1997-07-01 05:42:16 +0000 |
| commit | 3f044120cdb6253359462b5085756fca82a23d1c (patch) | |
| tree | 372f96fb219e4a0a9406307f6159649ef5d522f5 /sys/netinet | |
| parent | f357055fa53bf3310fd9dfebc91932e8fd640241 (diff) | |
| download | FreeBSD-src-3f044120cdb6253359462b5085756fca82a23d1c.zip FreeBSD-src-3f044120cdb6253359462b5085756fca82a23d1c.tar.gz | |
Fix a bug (apparently very old) that can cause a TCP connection to
be dropped when it has an unusual traffic pattern. For full details
as well as a test case that demonstrates the failure, see the
referenced PR.
Under certain circumstances involving the persist state, it is
possible for the receive side's tp->rcv_nxt to advance beyond its
tp->rcv_adv. This causes (tp->rcv_adv - tp->rcv_nxt) to become
negative. However, in the code affected by this fix, that difference
was interpreted as an unsigned number by max(). Since it was
negative, it was taken as a huge unsigned number. The effect was
to cause the receiver to believe that its receive window had negative
size, thereby rejecting all received segments including ACKs. As
the test case shows, this led to fruitless retransmissions and
eventually to a dropped connection. Even connections using the
loopback interface could be dropped. The fix substitutes the signed
imax() for the unsigned max() function.
PR: closes kern/3998
Reviewed by: davidg, fenner, wollman
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/tcp_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index f76526e..33e9b60 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.57 1997/02/22 09:41:40 peter Exp $ + * $Id: tcp_input.c,v 1.58 1997/04/27 20:01:13 wollman Exp $ */ #ifndef TUBA_INCLUDE @@ -604,7 +604,7 @@ findpcb: win = sbspace(&so->so_rcv); if (win < 0) win = 0; - tp->rcv_wnd = max(win, (int)(tp->rcv_adv - tp->rcv_nxt)); + tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); } switch (tp->t_state) { diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index f76526e..33e9b60 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.57 1997/02/22 09:41:40 peter Exp $ + * $Id: tcp_input.c,v 1.58 1997/04/27 20:01:13 wollman Exp $ */ #ifndef TUBA_INCLUDE @@ -604,7 +604,7 @@ findpcb: win = sbspace(&so->so_rcv); if (win < 0) win = 0; - tp->rcv_wnd = max(win, (int)(tp->rcv_adv - tp->rcv_nxt)); + tp->rcv_wnd = imax(win, (int)(tp->rcv_adv - tp->rcv_nxt)); } switch (tp->t_state) { |
