PERFORCE change 138288 for review
Andre Oppermann
andre at FreeBSD.org
Sat Mar 22 16:31:02 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=138288
Change 138288 by andre at andre_flirtbox on 2008/03/22 16:30:22
Simplified FIN handling based on discussion on TCPM mailing
list.
Affected files ...
.. //depot/projects/tcp_reass/netinet/tcp_reass.c#19 edit
Differences ...
==== //depot/projects/tcp_reass/netinet/tcp_reass.c#19 (text+ko) ====
@@ -286,15 +286,29 @@
mcnt += (n->m_flags & M_EXT) ?
n->m_ext.ext_size + MSIZE : MSIZE;
- tqe = TAILQ_LAST(&tp->t_trq, trq_head);
-
/*
* FIN handling is a bit tricky.
- * We only accept a FIN if it matches the right side of the sequence
- * space.
+ * We cannot trust a FIN that goes into the reassembly queue.
+ * It can be easily spoofed as it may be anywhere in the receive
+ * window (see RST attack mitigation in tcp-secure).
+ * For this reason (and complexity avoidance) we generally ignore
+ * any FIN arriving at the reassembly queue with one exception;
+ * When it exactly matches rcv_nxt together with any data in the
+ * same segment we can conclude it to be genuine and proceed with
+ * flushing any other data waiting in the reassembly queue.
+ * A FIN is part of the sequence space and will get retransmitted
+ * if it was genuine.
+ * This approach is based on a discussion on TCPM mailing list.
*/
- if (thflags & TH_FIN) {
- }
+ if ((thflags & TH_FIN) && tp->rcv_nxt == th_seq) {
+ tcp_reass_qfree(tp);
+ tqe = NULL;
+ goto insert;
+ } else
+ thflags &= ~TH_FIN;
+
+ /* Starting point for the following tests. */
+ tqe = TAILQ_LAST(&tp->t_trq, trq_head);
/* Check if this segment directly attaches to the end. */
if (tqe && tqe->trq_seq + tqe->trq_len == th_seq) {
@@ -525,7 +539,7 @@
return (0);
present:
/*
- * Present data to user, advancing rcv_nxt through
+ * Present data to user, advancing rcv_nxt through the
* completed sequence space.
*/
KASSERT(!TAILQ_EMPTY(&tp->t_trq),
@@ -533,6 +547,7 @@
KASSERT((TAILQ_FIRST(&tp->t_trq))->trq_seq == tp->rcv_nxt,
("%s: first block does not match rcv_nxt", __func__));
tcpstat.tcps_reass_missingseg++;
+
SOCKBUF_LOCK(&so->so_rcv);
TAILQ_FOREACH_SAFE(tqe, &tp->t_trq, trq_q, tqen) {
KASSERT(SEQ_GEQ(tqe->trq_seq, tp->rcv_nxt),
@@ -540,6 +555,7 @@
KASSERT(tqen == NULL ||
SEQ_LEQ(tqe->trq_seq + tqe->trq_len, tqen->trq_seq),
("%s: block overlaps into next one", __func__));
+
if (tqe->trq_seq != tp->rcv_nxt)
break;
if (so->so_rcv.sb_state & SBS_CANTRCVMORE)
@@ -547,8 +563,6 @@
else
sbappendstream_locked(&so->so_rcv, tqe->trq_m);
tp->rcv_nxt += tqe->trq_len;
- KASSERT(!(thflags & TH_FIN) || tqe == TAILQ_LAST(&tp->t_trq, trq_head),
- ("%s: FIN not on last block", __func__));
tp->t_trqmcnt -= tqe->trq_mcnt;
tcp_reass_mcnt -= tqe->trq_mcnt;
TAILQ_REMOVE(&tp->t_trq, tqe, trq_q);
@@ -557,7 +571,7 @@
uma_zfree(tcp_reass_zone, tqe);
tcp_reass_qsize--;
}
- /* NB: sorwakeup_locked() does an implicit socket buffer unlock. */
+ /* NB: sorwakeup_locked() does a implicit socket buffer unlock. */
sorwakeup_locked(so);
/*
More information about the p4-projects
mailing list