Date: Mon, 13 Aug 2007 13:24:56 -0700 From: "Huang, Yusheng" <yusheng.huang@bluecoat.com> To: <freebsd-net@freebsd.org> Subject: An ISN(initial sequence number) bug? Message-ID: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com>
next in thread | raw e-mail | index | archive | help
Hi,
=20
I think there is a bug in the tcp_isn_tick() function.
=20
1477 static void
1478 tcp_isn_tick(xtp)
1479 void *xtp;
1480 {
1481 u_int32_t projected_offset;
1482=20
1483 INP_INFO_WLOCK(&tcbinfo);
1484 projected_offset =3D isn_offset_old + ISN_BYTES_PER_SECOND /
100;
1485=20
1486 if (projected_offset > isn_offset)
1487 isn_offset =3D projected_offset;
1488=20
1489 isn_offset_old =3D isn_offset;
1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
1491 INP_INFO_WUNLOCK(&tcbinfo);
1492 }
=20
If isn_offset is close to the 4G boundary, the projected_offset is
likely to overflow the 4G value so the unsigned comparison at line#1486
will not be true and isn_offset will not be incremented by the
tcp_isn_tick() for a very long long time.=20
=20
-yusheng
=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?305C539CA2F86249BF51CDCE8996AFF406322606>