Date: Mon, 13 Aug 2007 15:34:44 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: yusheng.huang@bluecoat.com Cc: freebsd-net@FreeBSD.org Subject: Re: An ISN(initial sequence number) bug? Message-ID: <200708132234.l7DMYiSX067226@gw.catspoiler.org> In-Reply-To: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13 Aug, Huang, Yusheng wrote:
> Hi,
>
>
>
> I think there is a bug in the tcp_isn_tick() function.
>
>
>
> 1477 static void
>
> 1478 tcp_isn_tick(xtp)
>
> 1479 void *xtp;
>
> 1480 {
>
> 1481 u_int32_t projected_offset;
>
> 1482
>
> 1483 INP_INFO_WLOCK(&tcbinfo);
>
> 1484 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND /
> 100;
>
> 1485
>
> 1486 if (projected_offset > isn_offset)
>
> 1487 isn_offset = projected_offset;
>
> 1488
>
> 1489 isn_offset_old = isn_offset;
>
> 1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
>
> 1491 INP_INFO_WUNLOCK(&tcbinfo);
>
> 1492 }
>
>
>
> If isn_offset is close to the 4G boundary, the projected_offset is
> likely to overflow the 4G value so the unsigned comparison at line#1486
> will not be true and isn_offset will not be incremented by the
> tcp_isn_tick() for a very long long time.
I think the comparison should be done with the SEQ_GT() macro.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708132234.l7DMYiSX067226>