NetBSD Problem Report #46304
From www@NetBSD.org Fri Apr 6 18:19:21 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 0C3A363B9FE
for <gnats-bugs@gnats.NetBSD.org>; Fri, 6 Apr 2012 18:19:21 +0000 (UTC)
Message-Id: <20120406181920.2045D63B946@www.NetBSD.org>
Date: Fri, 6 Apr 2012 18:19:20 +0000 (UTC)
From: dennis.c.ferguson@gmail.com
Reply-To: dennis.c.ferguson@gmail.com
To: gnats-bugs@NetBSD.org
Subject: TCP can incorrectly update the advertised window (tp->snd_wnd)
X-Send-Pr-Version: www-1.0
>Number: 46304
>Category: kern
>Synopsis: TCP can incorrectly update the advertised window (tp->snd_wnd)
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 06 18:20:00 +0000 2012
>Originator: Dennis Ferguson
>Release: 5.99.52
>Organization:
>Environment:
NetBSD timerxxx.juniper.net 5.99.52 NetBSD 5.99.52 (GENERIC) #41: Wed Feb 8 08:53:09 UTC 2012 dennis@timerxxx.juniper.net:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
There is a bug in netinet/tcp_input.c which can cause it to decrement the unsigned variable tp->snd_wnd below zero. This causes tcp_output() to think a zero advertised window is in fact a very huge advertised window, which can result in it sending many packets outside the window of the neighbor.
See the tech-net@netbsd.org thread starting here:
http://mail-index.NetBSD.org/tech-net/2012/04/01/msg003203.html
My analysis of the problem is here:
http://mail-index.NetBSD.org/tech-net/2012/04/04/msg003218.html
Some should fix this. I'm filing this so the problem doesn't get lost.
>How-To-Repeat:
See above. It happens when a TCP packet is received which simultaneously ack's data outside the window advertised in a previous packet, and which carries old, retransmitted data.
>Fix:
Either:
(1) Do what FreeBSD seems to have done. Make it believe and copy the advertised window from any packet which ack's new data, even if the packet is carrying retransmitted data.
or:
(2) Avoid decrementing tp->snd_wnd below zero, or make it a signed variable and treat a negative value the same as zero.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.