Author: delphij
Date: Tue Jul 21 23:42:15 2015
New Revision: 285777
URL: https://svnweb.freebsd.org/changeset/base/285777
Log:
Fix resource exhaustion due to sessions stuck in LAST_ACK state.
Submitted by: Jonathan Looney (Juniper SIRT)
Reviewed by: lstewart
Security: CVE-2015-5358
Security: SA-15:13.tcp
Modified:
head/sys/netinet/tcp_output.c
Modified: head/sys/netinet/tcp_output.c
==============================================================================
--- head/sys/netinet/tcp_output.c Tue Jul 21 23:22:23 2015
(r285776)
+++ head/sys/netinet/tcp_output.c Tue Jul 21 23:42:15 2015
(r285777)
@@ -400,7 +400,7 @@ after_sack_rexmit:
flags &= ~TH_FIN;
}
- if (len < 0) {
+ if (len <= 0) {
/*
* If FIN has been sent but not acked,
* but we haven't been called to retransmit,
@@ -410,9 +410,16 @@ after_sack_rexmit:
* to (closed) window, and set the persist timer
* if it isn't already going. If the window didn't
* close completely, just wait for an ACK.
+ *
+ * We also do a general check here to ensure that
+ * we will set the persist timer when we have data
+ * to send, but a 0-byte window. This makes sure
+ * the persist timer is set even if the packet
+ * hits one of the "goto send" lines below.
*/
len = 0;
- if (sendwin == 0) {
+ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ (off < (int) sbavail(&so->so_snd))) {
tcp_timer_activate(tp, TT_REXMT, 0);
tp->t_rxtshift = 0;
tp->snd_nxt = tp->snd_una;
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
