Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 26 May 2019 17:18:14 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r348290 - head/sys/netinet
Message-ID:  <201905261718.x4QHIENt031244@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tuexen
Date: Sun May 26 17:18:14 2019
New Revision: 348290
URL: https://svnweb.freebsd.org/changeset/base/348290

Log:
  When an ACK segment as the third message of the three way handshake is
  received and support for time stamps was negotiated in the SYN/SYNACK
  exchange, perform the PAWS check and only expand the syn cache entry if
  the check is passed.
  Without this check, endpoints may get stuck on the incomplete queue.
  
  Reviewed by:		jtl@
  MFC after:		3 days
  Sponsored by:		Netflix, Inc.
  Differential Revision:	https://reviews.freebsd.org/D20374

Modified:
  head/sys/netinet/tcp_syncache.c

Modified: head/sys/netinet/tcp_syncache.c
==============================================================================
--- head/sys/netinet/tcp_syncache.c	Sun May 26 16:43:06 2019	(r348289)
+++ head/sys/netinet/tcp_syncache.c	Sun May 26 17:18:14 2019	(r348290)
@@ -1142,6 +1142,28 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt
 			}
 		}
 #endif /* TCP_SIGNATURE */
+
+		/*
+		 * RFC 7323 PAWS: If we have a timestamp on this segment and
+		 * it's less than ts_recent, drop it.
+		 * XXXMT: RFC 7323 also requires to send an ACK.
+		 *        In tcp_input.c this is only done for TCP segments
+		 *        with user data, so be consistent here and just drop
+		 *        the segment.
+		 */
+		if (sc->sc_flags & SCF_TIMESTAMP && to->to_flags & TOF_TS &&
+		    TSTMP_LT(to->to_tsval, sc->sc_tsreflect)) {
+			SCH_UNLOCK(sch);
+			if ((s = tcp_log_addrs(inc, th, NULL, NULL))) {
+				log(LOG_DEBUG,
+				    "%s; %s: SEG.TSval %u < TS.Recent %u, "
+				    "segment dropped\n", s, __func__,
+				    to->to_tsval, sc->sc_tsreflect);
+				free(s, M_TCPLOG);
+			}
+			return (-1);  /* Do not send RST */
+		}
+
 		/*
 		 * Pull out the entry to unlock the bucket row.
 		 *

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905261718.x4QHIENt031244>