Re: Unsigned wraparound on window size calculations

[Valery Ushakov <uwe%stderr.spb.ru@localhost>]

On Wed, Apr 18, 2018 at 17:44:22 +0300, Valery Ushakov wrote:

> tcp_output.c has a bug when calculating advertised window size after
> we have successfully accepted a zero-window probe.
[...]
> The second part of that fix is present in NetBSD tree and it fixes the
> worst of the two problems.
> 
>   revision 1.112
>   date: 2004-05-08 18:41:47 +0400;  author: chs;  state: Exp;  lines: +4 -4;
>   work around an LP64 problem where we report an excessively large window
>   due to incorrect mixing of types.

Forgot to mention.

The fix above was replacing (long)(a - b) with (long)(int32_t)(a - b)

We also have in tcp_seq.h a macro:

#define SEQ_SUB(a,b)	((long)((a)-(b)))

that has the same bug.  We've got it in 

  revision 1.12
  date: 1998-10-05 01:33:53 +0400;  author: matt;  state: Exp;  lines: +4 -2;
  branches:  1.12.46;
  Adapt the NEWRENO changes from the UCSB diffs of BSDI 3.0's TCP
  to NetBSD.  Ignore the SACK & FACK stuff for now.

and it's used in one place in tcp_congctl.c.  The macro probably needs
the same fix.

We might also want to use explicit "int32_t" instead of "int" in other
SEQ_* macros.

-uwe