TCP and syncache question

Hartmut Brandt hartmut.brandt at
Fri Nov 21 10:56:46 PST 2008

Andre Oppermann wrote:
> Harti Brandt wrote:
>> Hi Andre,
>> On Mon, 17 Nov 2008, Andre Oppermann wrote:
>> AO>This is a bit more complicated because of interactions with 
>> tcp_input()
>> AO>where syncache_expand() is called from.
>> AO>
>> AO>The old code (as of December 2002) behaved slightly different.  It 
>> would
>> AO>not remove the syncache entry when (SND.UNA == SEG.ACK) but send a 
>> RST.
>> AO>The (RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND) test wasn't 
>> done at
>> AO>all.  Instead a socket was opened whenever (SND.UNA == SEG.ACK) 
>> succeeded.
>> AO>This gave way to the "LAND" DoS attack which was mostly fixed with 
>> a test
>> AO>for (RCV.IRS < SEG.SEQ).
>> AO>
>> AO>See the attached patch for fixed version of syncache_expand().  
>> This patch
>> AO>is untested though.  My development machine is currently down.  
>> Harti, Rui
>> AO>and Bjoern, please have a look at the patch and review it.
>> Some small problems:
> ...
>> Need another cast here: *lsop = (struct socket *)1.
> Changed the logic to use a NULL *lsop to differentiate in tcp_input().
> Much simpler.
Turns out there is a bug in the patch: after the call to 
syncache_lookup() at test sc == NULL is made and if sc == NULL and may 
goto sendrst:

    if (sc != &scs)

Here syncache_free panics because of the NULL passed to it. I suppose 
both gotos under the if() should go to sendrstkeep instead.


More information about the freebsd-net mailing list