TCP and syncache question
Hartmut Brandt
hartmut.brandt at dlr.de
Fri Nov 21 10:56:46 PST 2008
Andre Oppermann wrote:
> Harti Brandt wrote:
>> Hi Andre,
>>
>> On Mon, 17 Nov 2008, Andre Oppermann wrote:
>>
>> AO>This is a bit more complicated because of interactions with
>> tcp_input()
>> AO>where syncache_expand() is called from.
>> AO>
>> AO>The old code (as of December 2002) behaved slightly different. It
>> would
>> AO>not remove the syncache entry when (SND.UNA == SEG.ACK) but send a
>> RST.
>> AO>The (RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND) test wasn't
>> done at
>> AO>all. Instead a socket was opened whenever (SND.UNA == SEG.ACK)
>> succeeded.
>> AO>This gave way to the "LAND" DoS attack which was mostly fixed with
>> a test
>> AO>for (RCV.IRS < SEG.SEQ).
>> AO>
>> AO>See the attached patch for fixed version of syncache_expand().
>> This patch
>> AO>is untested though. My development machine is currently down.
>> Harti, Rui
>> AO>and Bjoern, please have a look at the patch and review it.
>>
>> Some small problems:
> ...
>> Need another cast here: *lsop = (struct socket *)1.
>
> Changed the logic to use a NULL *lsop to differentiate in tcp_input().
> Much simpler.
Turns out there is a bug in the patch: after the call to
syncache_lookup() at test sc == NULL is made and if sc == NULL and may
goto sendrst:
sendrst:
if (sc != &scs)
syncache_free(sc);
Here syncache_free panics because of the NULL passed to it. I suppose
both gotos under the if() should go to sendrstkeep instead.
harti
More information about the freebsd-net
mailing list