The branch stable/15 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=0ca910a682c332feee35b431a5097440bbf65bc7
commit 0ca910a682c332feee35b431a5097440bbf65bc7 Author: Michael Tuexen <[email protected]> AuthorDate: 2025-10-01 19:14:23 +0000 Commit: Michael Tuexen <[email protected]> CommitDate: 2025-10-05 13:29:55 +0000 tcp: cleanup syncache_expand() Only validate SEG.SEQ and SEG.ACK when processing a real SYN-cache entry. In the SYN-cookie case, these conditions are always true, since the SYN-cache entry on the stack is constructed from the incoming TCP segment. While there, fix the logging messages. Reviewed by: Nick Banks Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D52816 (cherry picked from commit 3034fa3d4321fdc487428c9050711de9ce234567) --- sys/netinet/tcp_syncache.c | 52 ++++++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 72e9dccea9a5..518cef66e7fa 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1260,6 +1260,35 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, return (-1); /* Do not send RST */ } } + + /* + * SEG.ACK validation: + * SEG.ACK must match our initial send sequence number + 1. + */ + if (th->th_ack != sc->sc_iss + 1) { + SCH_UNLOCK(sch); + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) + log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, " + "segment rejected\n", + s, __func__, th->th_ack, sc->sc_iss + 1); + goto failed; + } + + /* + * SEG.SEQ validation: + * The SEG.SEQ must be in the window starting at our + * initial receive sequence number + 1. + */ + if (SEQ_LEQ(th->th_seq, sc->sc_irs) || + SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) { + SCH_UNLOCK(sch); + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) + log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, " + "segment rejected\n", + s, __func__, th->th_seq, sc->sc_irs + 1); + goto failed; + } + TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash); sch->sch_length--; #ifdef TCP_OFFLOAD @@ -1272,29 +1301,6 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, SCH_UNLOCK(sch); } - /* - * Segment validation: - * ACK must match our initial sequence number + 1 (the SYN|ACK). - */ - if (th->th_ack != sc->sc_iss + 1) { - if ((s = tcp_log_addrs(inc, th, NULL, NULL))) - log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, segment " - "rejected\n", s, __func__, th->th_ack, sc->sc_iss); - goto failed; - } - - /* - * The SEQ must fall in the window starting at the received - * initial receive sequence number + 1 (the SYN). - */ - if (SEQ_LEQ(th->th_seq, sc->sc_irs) || - SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) { - if ((s = tcp_log_addrs(inc, th, NULL, NULL))) - log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, segment " - "rejected\n", s, __func__, th->th_seq, sc->sc_irs); - goto failed; - } - *lsop = syncache_socket(sc, *lsop, m); if (__predict_false(*lsop == NULL)) {
