From dada@balu.kfunigraz.ac.at Tue Apr 20 18:42:38 1999
Return-Path: <dada@balu.kfunigraz.ac.at>
Received: from kaa.kfunigraz.ac.at (KAA-ATM.kfunigraz.ac.at [143.50.202.22])
	by hub.freebsd.org (Postfix) with ESMTP id E99D81514A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 20 Apr 1999 18:42:18 -0700 (PDT)
	(envelope-from dada@balu.kfunigraz.ac.at)
Received: from balu.kfunigraz.ac.at (balu [143.50.16.16])
	by kaa.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id DAA04254
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Apr 1999 03:39:08 +0200 (MDT)
Received: from localhost.kfunigraz.ac.at (IDENT:CFiy2NSUhmfQAekWhXk+B5WmlyE6E1eO@BONLINEA13.kfunigraz.ac.at [143.50.36.13])
	by balu.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id DAA27626
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Apr 1999 03:39:47 +0200 (MDT)
Received: (from dada@localhost)
	by localhost.kfunigraz.ac.at (8.8.8/8.8.8) id DAA00732;
	Wed, 21 Apr 1999 03:22:22 +0200 (CEST)
	(envelope-from dada)
Message-Id: <199904210122.DAA00732@localhost.kfunigraz.ac.at>
Date: Wed, 21 Apr 1999 03:22:22 +0200 (CEST)
From: dada@sbox.tu-graz.ac.at
Sender: dada@balu.kfunigraz.ac.at
Reply-To: dada@sbox.tu-graz.ac.at
To: FreeBSD-gnats-submit@freebsd.org
Subject: lite2 bugfixes missing in kern/uipc_socket.c
X-Send-Pr-Version: 3.2

>Number:         11252
>Category:       kern
>Synopsis:       lite2 bugfixes missing in kern/uipc_socket.c
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 20 18:50:00 PDT 1999
>Closed-Date:    Sat Apr 24 11:30:23 PDT 1999
>Last-Modified:  Sat Apr 24 11:31:47 PDT 1999
>Originator:     Martin Kammerhofer
>Release:        FreeBSD 2.2.8-STABLE i386
>Organization:
Graz University of Technology
>Environment:
>Description:

FreeBSD (all versions) is shipped with 2 bugs in get/setsockopt(2)

Bug #1:
Manpage setsockopt(2) says
	...
     decides it is unable to deliver the information (a timeout period, termed
     the linger interval, is specified in seconds in the setsockopt() call
     when SO_LINGER is requested).  If SO_LINGER is disabled and a close(2) is
	...

The problem is: You get exactly 1% of the requested linger time!
Why? The manpage says it is in seconds but it is used in soclose()
like this:
			while (so->so_state & SS_ISCONNECTED) {
				error = tsleep((caddr_t)&so->so_timeo,
				    PSOCK | PCATCH, "soclos", so->so_linger);

Unfortunately tsleep counts time in units of 1/HZ seconds. This is why
you get only one percent (with a HZ=100 kernel).

Bug #2:
Range checking for setsockopt(2) arguments SO_SNDTIMEO and SO_RCVTIMEO
is broken. This causes perfect reasonable timeouts to be rejected with
error EDOM. This problem is aggravated if your run a kernel with raised
HZ value (e.g. for ALTQ).

FreeBSD uses the buggy code from the original lite import. Both bugs
had been already fixed in lite2. It is in the repository but has never
been integrated.

>How-To-Repeat:

BUG #1:
struct linger l = {1, 1000};

setsockopt(s, SOL_SOCKET, SO_LINGER, &l, sizeof l);
...
close(s); // Will return after 10 seconds if still data queued for sending.
          // Achieve this by sending lots of data to an application that
	  // accept()s but doesn't read it's socket.

BUG #2:
Compile a kernel with HZ=1000 and find out that only negative send
and receive timeouts for sockets are acceptable. :)

>Fix:
cvs diff -r1.1.1.1 -r1.1.1.2 src/sys/kern/uipc_socket.c

Note that there's a small piece of code in sys/netinet/tcp_userreq.c
that relies on the bug:
	if ((so->so_options & SO_LINGER) && so->so_linger == 0)
		so->so_linger = TCP_LINGERTIME * hz;
                                              ^^^^^
See the commit of Revision 1.10  Thu Feb 16 01:42:45 1995 UTC by Wollman.
Since lite2 fixed soclose() this commit should be undone together with
the lite2 patch.

For a better fix change sb_timeo in struct sockbuf (socketvar.h) from
short to int! Even if long timeouts do not make sense this is much too
dependend on HZ. Bit saving mentality brought us all this Y2K issues...

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ache 
State-Changed-When: Sat Apr 24 11:30:23 PDT 1999 
State-Changed-Why:  
Lite2 fixes and tcp_usrreq.c undone applied. 
short->int transition is out of my scope. 
>Unformatted:
