misc/177456: An error of calculating TCP sequence number will resault in the machine to restart

Thu, 28 Mar 2013 17:00:09 -0700 

>Number:         177456
>Category:       misc
>Synopsis:       An error of calculating TCP sequence number will resault in 
>the machine to restart
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 29 00:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     HouYeFei&XiBoLiu
>Release:        FreeBSD-9.0
>Organization:
H3C
>Environment:
FreeBSD www.unixnotes.net 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Sun May  4 
12:36:15 HKT 2012     
[email protected]:/usr/src/sys/i386/compile/unixnotes  i386
>Description:
There is  a large number of TCP links between  Client and Server, each link can 
transmit large amounts of data. When the Client is low on memory, at the same 
time it wants  to establish a new  TCP connection to the server. The Client 
sends SYN message and startups retransmission timer, but retransmission of the 
first time

sends failed because there is not enough mbuf.At this time, a sequence number 
is transmitted messages on the tcpcb (tp->snd_nxt) regression. Then

a syn+ack message is received and processing the tp->snd_una sequence number is 
increased by 1, resault in tp->snd_nxt < th->snd_una. It is likely that 

the sending buffer has data to send, but actually is empty, call

Tcp_output to send ack to the Server. But Tcp_output enter to the mbuf 
replication process, leading to access a null pointer.
>How-To-Repeat:
Make Client and Server to create a large number of TCP links. The system of the 
Client is FreeBSD9.0.
>Fix:
Please read the patch file

Patch attached with submission follows:


        case TCPS_SYN_SENT:
                        /* Do window scaling on this connection? */
                        if ((tp->t_flags & (TF_RCVD_SCALE|TF_REQ_SCALE)) ==
                                (TF_RCVD_SCALE|TF_REQ_SCALE)) {
                                tp->rcv_scale = tp->request_r_scale;
                        }
                        tp->rcv_adv += imin(tp->rcv_wnd,
                            TCP_MAXWIN << tp->rcv_scale);
                        tp->snd_una++;          /* SYN is acked */



the begin of modification:
                        if (SEQ_LT(tp->snd_nxt, tp->snd_una))
                        {
                                tp->snd_nxt = tp->snd_una;
                        }
the end of modification:




                        /*
                         * If there's data, delay ACK; if there's also a FIN
                         * ACKNOW will be turned on later.
                         */
                        if (DELAY_ACK(tp) && tlen != 0)
                                tcp_timer_activate(tp, TT_DELACK,
                                    tcp_delacktime);
                        else
                                tp->t_flags |= TF_ACKNOW;

                        


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"

Reply via email to