From owner-freebsd-net@FreeBSD.ORG  Mon Aug 13 20:36:22 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A29C216A419
	for <freebsd-net@freebsd.org>; Mon, 13 Aug 2007 20:36:22 +0000 (UTC)
	(envelope-from yusheng.huang@bluecoat.com)
Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 7EA4313C4B7
	for <freebsd-net@freebsd.org>; Mon, 13 Aug 2007 20:36:22 +0000 (UTC)
	(envelope-from yusheng.huang@bluecoat.com)
Received: from bcs-mail2.internal.cacheflow.com
	(bcs-mail2.internal.cacheflow.com [10.2.2.59])
	by whisker.bluecoat.com (8.13.8/8.13.8) with ESMTP id l7DKOvk0011212
	for <freebsd-net@freebsd.org>; Mon, 13 Aug 2007 13:24:58 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 13 Aug 2007 13:24:56 -0700
Message-ID: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: An ISN(initial sequence number) bug?
Thread-Index: Acfd6ANyOR9KoL3xSTKdw7BW/o9AlQ==
From: "Huang, Yusheng" <yusheng.huang@bluecoat.com>
To: <freebsd-net@freebsd.org>
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: An ISN(initial sequence number) bug?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2007 20:36:22 -0000

Hi,

=20

I think there is a bug in the tcp_isn_tick() function.

=20

   1477 static void

   1478 tcp_isn_tick(xtp)

   1479     void *xtp;

   1480 {

   1481     u_int32_t projected_offset;

   1482=20

   1483     INP_INFO_WLOCK(&tcbinfo);

   1484     projected_offset =3D isn_offset_old + ISN_BYTES_PER_SECOND /
100;

   1485=20

   1486     if (projected_offset > isn_offset)

   1487         isn_offset =3D projected_offset;

   1488=20

   1489     isn_offset_old =3D isn_offset;

   1490     callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);

   1491     INP_INFO_WUNLOCK(&tcbinfo);

   1492 }

=20

If isn_offset is close to the 4G boundary, the projected_offset is
likely to overflow the 4G value so the unsigned comparison at line#1486
will not be true and isn_offset will not be incremented by the
tcp_isn_tick() for a very long long time.=20

=20

-yusheng

=20