From owner-freebsd-net@FreeBSD.ORG Mon Aug 13 23:02:28 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49AD116A41B for ; Mon, 13 Aug 2007 23:02:28 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (adsl-75-1-14-242.dsl.scrm01.sbcglobal.net [75.1.14.242]) by mx1.freebsd.org (Postfix) with ESMTP id 128CD13C45B for ; Mon, 13 Aug 2007 23:02:28 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id l7DMYiSX067226; Mon, 13 Aug 2007 15:34:48 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <200708132234.l7DMYiSX067226@gw.catspoiler.org> Date: Mon, 13 Aug 2007 15:34:44 -0700 (PDT) From: Don Lewis To: yusheng.huang@bluecoat.com In-Reply-To: <305C539CA2F86249BF51CDCE8996AFF406322606@bcs-mail2.internal.cacheflow.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: freebsd-net@FreeBSD.org Subject: Re: An ISN(initial sequence number) bug? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 23:02:28 -0000 On 13 Aug, Huang, Yusheng wrote: > Hi, > > > > I think there is a bug in the tcp_isn_tick() function. > > > > 1477 static void > > 1478 tcp_isn_tick(xtp) > > 1479 void *xtp; > > 1480 { > > 1481 u_int32_t projected_offset; > > 1482 > > 1483 INP_INFO_WLOCK(&tcbinfo); > > 1484 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND / > 100; > > 1485 > > 1486 if (projected_offset > isn_offset) > > 1487 isn_offset = projected_offset; > > 1488 > > 1489 isn_offset_old = isn_offset; > > 1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL); > > 1491 INP_INFO_WUNLOCK(&tcbinfo); > > 1492 } > > > > If isn_offset is close to the 4G boundary, the projected_offset is > likely to overflow the 4G value so the unsigned comparison at line#1486 > will not be true and isn_offset will not be incremented by the > tcp_isn_tick() for a very long long time. I think the comparison should be done with the SEQ_GT() macro.