netbsd-bugs: kern/3733: 2 bugs in tcp_input.c mentioned in "TCP/IP Illustrated Vol 2"

Subject: kern/3733: 2 bugs in tcp_input.c mentioned in "TCP/IP Illustrated Vol 2"
To: None <gnats-bugs@gnats.netbsd.org>
From: None <frueauf@ira.uka.de>
List: netbsd-bugs
Date: 06/10/1997 10:47:04

>Number:         3733
>Category:       kern
>Synopsis:       2 bugs in tcp_input.c mentioned in "TCP/IP Illustrated Vol 2"
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 10 01:35:01 1997
>Last-Modified:
>Originator:     Thorsten Frueauf
>Organization:
private
	
>Release:        NetBSD current 08.06.1997
>Environment:
	
System: NetBSD cyberlap 1.2F NetBSD 1.2F (CYBERLAP) #4: Tue Jun 10 07:46:20 CEST 1997 frueauf@cyberlap:/usr/src/sys/arch/i386/compile/CYBERLAP i386

>Description:
	
There are 2 bugs in /src/sys/netinet/tcp_input.c described in
"TCP/IP Illustrated Vol. 2" which I think are stil in NetBSD too:

1) According to page 948, the timer should be turned off only if the ACK flag
   is set, since the receipt of a SYN without an ACK is a simultaneous open,
   and doesn't mean the other end received TCP's SYN.

2) The bug mentioned on page 956 is explained and solved in more
   detail on page 959ff. - NetBSD has one part of the fix, but
   there is stil one part missing.

>How-To-Repeat:
	
Read the above cited pages in "TCP/IP Illustrated Vol. 2".

>Fix:
	
the following patch worked for me without problems yet. Apply it to
/src/sys/netinet/tcp_input.c:

*** tcp_input.c-orig	Mon Jun  9 23:41:45 1997
--- tcp_input.c	Tue Jun 10 00:13:50 1997
***************
*** 658,665 ****
  			tp->snd_una = ti->ti_ack;
  			if (SEQ_LT(tp->snd_nxt, tp->snd_una))
  				tp->snd_nxt = tp->snd_una;
  		}
- 		tp->t_timer[TCPT_REXMT] = 0;
  		tp->irs = ti->ti_seq;
  		tcp_rcvseqinit(tp);
  		tp->t_flags |= TF_ACKNOW;
--- 658,665 ----
  			tp->snd_una = ti->ti_ack;
  			if (SEQ_LT(tp->snd_nxt, tp->snd_una))
  				tp->snd_nxt = tp->snd_una;
+ 			tp->t_timer[TCPT_REXMT] = 0;
  		}
  		tp->irs = ti->ti_seq;
  		tcp_rcvseqinit(tp);
  		tp->t_flags |= TF_ACKNOW;
***************
*** 753,759 ****
  			}
  			todrop--;
  		}
! 		if (todrop >= ti->ti_len) {
  			/*
  			 * Any valid FIN must be to the left of the
  			 * window.  At this point, FIN must be a
--- 753,761 ----
  			}
  			todrop--;
  		}
! 		if (todrop >= ti->ti_len ||
! 		    (todrop == ti->ti_len && (tiflags & TH_FIN) == 0)) {
! 
  			/*
  			 * Any valid FIN must be to the left of the
  			 * window.  At this point, FIN must be a
>Audit-Trail:
>Unformatted:
2 bugs in tcp_input.c mentioned in "TCP/IP Illustrated Vol 2"