NetBSD Problem Report #46304

From  Fri Apr  6 18:19:21 2012
Return-Path: <>
Received: from ( [])
	by (Postfix) with ESMTP id 0C3A363B9FE
	for <>; Fri,  6 Apr 2012 18:19:21 +0000 (UTC)
Message-Id: <>
Date: Fri,  6 Apr 2012 18:19:20 +0000 (UTC)
Subject: TCP can incorrectly update the advertised window (tp->snd_wnd)
X-Send-Pr-Version: www-1.0

>Number:         46304
>Category:       kern
>Synopsis:       TCP can incorrectly update the advertised window (tp->snd_wnd)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 06 18:20:00 +0000 2012
>Originator:     Dennis Ferguson
>Release:        5.99.52
NetBSD 5.99.52 NetBSD 5.99.52 (GENERIC) #41: Wed Feb  8 08:53:09 UTC 2012 amd64
There is a bug in netinet/tcp_input.c which can cause it to decrement the unsigned variable tp->snd_wnd below zero.  This causes tcp_output() to think a zero advertised window is in fact a very huge advertised window, which can result in it sending many packets outside the window of the neighbor.

See the thread starting here:

My analysis of the problem is here:

Some should fix this.  I'm filing this so the problem doesn't get lost.
See above.  It happens when a TCP packet is received which simultaneously ack's data outside the window advertised in a previous packet, and which carries old, retransmitted data.

(1) Do what FreeBSD seems to have done.  Make it believe and copy the advertised window from any packet which ack's new data, even if the packet is carrying retransmitted data.


(2) Avoid decrementing tp->snd_wnd below zero, or make it a signed variable and treat a negative value the same as zero.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.