NetBSD Problem Report #46304

From www@NetBSD.org  Fri Apr  6 18:19:21 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 0C3A363B9FE
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  6 Apr 2012 18:19:21 +0000 (UTC)
Message-Id: <20120406181920.2045D63B946@www.NetBSD.org>
Date: Fri,  6 Apr 2012 18:19:20 +0000 (UTC)
From: dennis.c.ferguson@gmail.com
Reply-To: dennis.c.ferguson@gmail.com
To: gnats-bugs@NetBSD.org
Subject: TCP can incorrectly update the advertised window (tp->snd_wnd)
X-Send-Pr-Version: www-1.0

>Number:         46304
>Category:       kern
>Synopsis:       TCP can incorrectly update the advertised window (tp->snd_wnd)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 06 18:20:00 +0000 2012
>Originator:     Dennis Ferguson
>Release:        5.99.52
>Organization:
>Environment:
NetBSD timerxxx.juniper.net 5.99.52 NetBSD 5.99.52 (GENERIC) #41: Wed Feb  8 08:53:09 UTC 2012  dennis@timerxxx.juniper.net:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
There is a bug in netinet/tcp_input.c which can cause it to decrement the unsigned variable tp->snd_wnd below zero.  This causes tcp_output() to think a zero advertised window is in fact a very huge advertised window, which can result in it sending many packets outside the window of the neighbor.

See the tech-net@netbsd.org thread starting here:

    http://mail-index.NetBSD.org/tech-net/2012/04/01/msg003203.html

My analysis of the problem is here:

    http://mail-index.NetBSD.org/tech-net/2012/04/04/msg003218.html

Some should fix this.  I'm filing this so the problem doesn't get lost.
>How-To-Repeat:
See above.  It happens when a TCP packet is received which simultaneously ack's data outside the window advertised in a previous packet, and which carries old, retransmitted data.
>Fix:
Either:

(1) Do what FreeBSD seems to have done.  Make it believe and copy the advertised window from any packet which ack's new data, even if the packet is carrying retransmitted data.

or:

(2) Avoid decrementing tp->snd_wnd below zero, or make it a signed variable and treat a negative value the same as zero.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.