>Number: 154006
>Category: kern
>Synopsis: tcp "window probe" bug on 64bit
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 15 01:40:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Stefan `Sec` Zehl
>Release: FreeBSD 8.1-STABLE amd64
>Organization:
>Environment:
System: FreeBSD ice 8.1-STABLE FreeBSD 8.1-STABLE #15: Mon Oct 25 12:20:38 CEST
2010 root@ice:/usr/obj/usr/src/sys/ICE amd64
As far as I can tell, the offending code is in all FreeBSD versions, not just
8-STABLE
>Description:
On amd64 the PERSIST timer does not get started (and consecquently executed)
for tcp connections stalled on a 0-size receive window. This means that no
single-byte probe packet is sent, so connections might hang indefinitely.
This is due to a missing (long) conversion in tcp_output.c around line 562
where "adv" is calculated.
After this patch, amd64 behaves the same way as i386 again.
>How-To-Repeat:
connect to a certain broken host which advertises window size 0 in the
SYN|ACK handshake packet, but increases window size after the 3-way
handshake
>Fix:
--- src/sys/netinet/tcp_output.c 2010-09-20 17:49:17.000000000 +0200
+++ src/sys/netinet/tcp_output.c 2011-01-14 19:30:46.000000000 +0100
@@ -571,7 +559,7 @@
* TCP_MAXWIN << tp->rcv_scale.
*/
long adv = min(recwin, (long)TCP_MAXWIN << tp->rcv_scale) -
- (tp->rcv_adv - tp->rcv_nxt);
+ (long) (tp->rcv_adv - tp->rcv_nxt);
if (adv >= (long) (2 * tp->t_maxseg))
goto send;
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
