TCP and syncache question
hartmut.brandt at dlr.de
Sat Nov 15 12:22:14 PST 2008
in tcp_syncache.c:syncache_expand() there is a test that the
acknowledgement number and the sequence number of an incoming ACK
segment are in the expected range. If they are not, syncache_expand()
returns 0 and tcp_input drops the segment and sets a reset. So far so
good. But syncache_expand() also deletes the syncache entry, and so
destroys the connection. I cannot see why it does it. It seems to me
that such a wrong segment should be interpreted as to be from another
connection and as such the segment should be ignored (but a reset sent).
When the correct ACK comes, the connection could still be established.
As it is now, the establishment of incoming connections can seriously be
disturbed by someone sending fake ACK packets.
The same test (for the ack number, not for the sequence number) is also
further down in tcp_input.c:tcp_do_segment() (just after the header
prediction stuff) and here the handling is correct: the goto
dropwithreset just sends a reset and drops the segment but leaves the
connection in the SYN-RECEIVED state. This test is probably never
reached now, because of syncache_expand(), though.
Maybe I fail to see something obvious, though...
More information about the freebsd-net