From owner-p4-projects@FreeBSD.ORG  Sat Mar 22 16:31:02 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 44D9F1065675; Sat, 22 Mar 2008 16:31:02 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 049D9106566C
	for <perforce@freebsd.org>; Sat, 22 Mar 2008 16:31:02 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id F00F18FC20
	for <perforce@freebsd.org>; Sat, 22 Mar 2008 16:31:01 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m2MGV1S5040219
	for <perforce@freebsd.org>; Sat, 22 Mar 2008 16:31:01 GMT
	(envelope-from andre@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m2MGV1Y5040217
	for perforce@freebsd.org; Sat, 22 Mar 2008 16:31:01 GMT
	(envelope-from andre@freebsd.org)
Date: Sat, 22 Mar 2008 16:31:01 GMT
Message-Id: <200803221631.m2MGV1Y5040217@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	andre@freebsd.org using -f
From: Andre Oppermann <andre@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 138288 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2008 16:31:02 -0000

http://perforce.freebsd.org/chv.cgi?CH=138288

Change 138288 by andre@andre_flirtbox on 2008/03/22 16:30:22

	Simplified FIN handling based on discussion on TCPM mailing
	list.

Affected files ...

.. //depot/projects/tcp_reass/netinet/tcp_reass.c#19 edit

Differences ...

==== //depot/projects/tcp_reass/netinet/tcp_reass.c#19 (text+ko) ====

@@ -286,15 +286,29 @@
 		mcnt += (n->m_flags & M_EXT) ?
 		    n->m_ext.ext_size + MSIZE : MSIZE;
 
-	tqe = TAILQ_LAST(&tp->t_trq, trq_head);
-
 	/*
 	 * FIN handling is a bit tricky.
-	 * We only accept a FIN if it matches the right side of the sequence
-	 * space.
+	 * We cannot trust a FIN that goes into the reassembly queue.
+	 * It can be easily spoofed as it may be anywhere in the receive
+	 * window (see RST attack mitigation in tcp-secure).
+	 * For this reason (and complexity avoidance) we generally ignore
+	 * any FIN arriving at the reassembly queue with one exception;
+	 * When it exactly matches rcv_nxt together with any data in the
+	 * same segment we can conclude it to be genuine and proceed with
+	 * flushing any other data waiting in the reassembly queue.
+	 * A FIN is part of the sequence space and will get retransmitted
+	 * if it was genuine.
+	 * This approach is based on a discussion on TCPM mailing list.
 	 */
-	if (thflags & TH_FIN) {
-	}
+	if ((thflags & TH_FIN) && tp->rcv_nxt == th_seq) {
+		tcp_reass_qfree(tp);
+		tqe = NULL;
+		goto insert;
+	} else
+		thflags &= ~TH_FIN;
+
+	/* Starting point for the following tests. */
+	tqe = TAILQ_LAST(&tp->t_trq, trq_head);
 
 	/* Check if this segment directly attaches to the end. */
 	if (tqe && tqe->trq_seq + tqe->trq_len == th_seq) {
@@ -525,7 +539,7 @@
 		return (0);
 present:
 	/*
-	 * Present data to user, advancing rcv_nxt through
+	 * Present data to user, advancing rcv_nxt through the
 	 * completed sequence space.
 	 */
 	KASSERT(!TAILQ_EMPTY(&tp->t_trq),
@@ -533,6 +547,7 @@
 	KASSERT((TAILQ_FIRST(&tp->t_trq))->trq_seq == tp->rcv_nxt,
 	    ("%s: first block does not match rcv_nxt", __func__));
 	tcpstat.tcps_reass_missingseg++;
+
 	SOCKBUF_LOCK(&so->so_rcv);
 	TAILQ_FOREACH_SAFE(tqe, &tp->t_trq, trq_q, tqen) {
 		KASSERT(SEQ_GEQ(tqe->trq_seq, tp->rcv_nxt),
@@ -540,6 +555,7 @@
 		KASSERT(tqen == NULL ||
 		    SEQ_LEQ(tqe->trq_seq + tqe->trq_len, tqen->trq_seq),
 		    ("%s: block overlaps into next one", __func__));
+
 		if (tqe->trq_seq != tp->rcv_nxt)
 			break;
 		if (so->so_rcv.sb_state & SBS_CANTRCVMORE)
@@ -547,8 +563,6 @@
 		else
 			sbappendstream_locked(&so->so_rcv, tqe->trq_m);
 		tp->rcv_nxt += tqe->trq_len;
-		KASSERT(!(thflags & TH_FIN) || tqe == TAILQ_LAST(&tp->t_trq, trq_head),
-		    ("%s: FIN not on last block", __func__));
 		tp->t_trqmcnt -= tqe->trq_mcnt;
 		tcp_reass_mcnt -= tqe->trq_mcnt;
 		TAILQ_REMOVE(&tp->t_trq, tqe, trq_q);
@@ -557,7 +571,7 @@
 			uma_zfree(tcp_reass_zone, tqe);
 		tcp_reass_qsize--;
 	}
-	/* NB: sorwakeup_locked() does an implicit socket buffer unlock. */
+	/* NB: sorwakeup_locked() does a implicit socket buffer unlock. */
 	sorwakeup_locked(so);
 
 	/*