From nobody@FreeBSD.org  Mon Feb  4 13:58:52 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9E8F237B41D
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Feb 2002 13:58:51 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g14LwpU00886;
	Mon, 4 Feb 2002 13:58:51 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200202042158.g14LwpU00886@freefall.freebsd.org>
Date: Mon, 4 Feb 2002 13:58:51 -0800 (PST)
From: Joseph Ishac <jishac@grc.nasa.gov>
To: freebsd-gnats-submit@FreeBSD.org
Subject: TCP - FINs with different sequence numbers
X-Send-Pr-Version: www-1.0

>Number:         34619
>Category:       kern
>Synopsis:       TCP - FINs with different sequence numbers
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 04 14:00:02 PST 2002
>Closed-Date:    Sun Jul 31 12:13:35 GMT 2005
>Last-Modified:  Sun Jul 31 12:13:35 GMT 2005
>Originator:     Joseph Ishac
>Release:        
>Organization:
NASA Glenn Research Center
>Environment:
>Description:
      Problem (below) discovered on OpenBSD. The problem code exists in the current (1.39.2.14) version of src/sys/netinet/tcp_output.c. However, the problem has not been verified on a FreeBSD box.  OpenBSD fix by Niels Provos.

After loosing a packet in the final window of data, the resulting retransmission carries the FIN bit erroneously (it is not the final packet and carries a different sequence number).

See: OpenBSD PR number 2368 (http://cvs.openbsd.org/cgi-bin/wwwgnats.pl/full/2368) for sample output.
>How-To-Repeat:
      
>Fix:
      OpenBSD solution from Niels Provos <provos@citi.umich.edu>

 Index: tcp_output.c
 ===================================================================
 --- tcp_output.c	14 Jan 2002 19:58:18 -0000	1.46
 +++ tcp_output.c	2 Feb 2002 01:01:37 -0000
  		len = tp->t_maxseg;
  		sendalot = 1;
  	}
 -	if (SEQ_LT(tp->snd_nxt + len, tp->snd_una + so->so_snd.sb_cc))
 +	if (off + len < so->so_snd.sb_cc)
  		flags &= ~TH_FIN;
  
  	win = sbspace(&so->so_rcv);
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Fri Jun 18 02:26:51 GMT 2004 
Responsible-Changed-Why:  
I'll take this.  Fix in question can be found at: 
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_output.c.diff?r1=1.46&r2=1.47 
It looks like this can go in as-is, but I'm going to ask silby if he 
can review it also. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34619 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Fri Jun 18 02:48:03 GMT 2004 
State-Changed-Why:  
Committed to HEAD 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34619 

From: Matteo Riondato <rionda@gufi.org>
To: Gnats PR Database <freebsd-gnats-submit@freebsd.org>
Cc: bms@FreeBSD.org, jishac@grc.nasa.gov
Subject: Re: kern/34619 TCP - FINs with different sequence numbers
Date: Mon, 11 Apr 2005 13:55:56 +0200

 This is fixed in RELENG_5 too, but not in RELENG_4.
 It seems that it is possible to merge to RELENG_4 but I'm not
 sure..If it's not, then this PR can be closed (or suspended)
 Thank you
 Best Regards
 --=20
 Rionda aka Matteo Riondato
 Disinformato per default
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)

From: Joseph Ishac <jishac@grc.nasa.gov>
To: Matteo Riondato <rionda@gufi.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/34619 TCP - FINs with different sequence numbers
Date: Mon, 11 Apr 2005 14:21:49 -0400

 This fix was inserted with revision 1.92 (B: MAIN)
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.91&r2=1.92&f=h
 
 It looks like the fix was _reversed_ with revision 1.99 (B: MAIN) in order to address a Sack issue.
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.98&r2=1.99&f=h
 
 Without looking at it in detail, it seems to me that the "else" block of
 the change in 1.99 should be identical to the block in rev 1.98
 
 -Joseph
 
 On Mon, Apr 11, 2005 at 02:16:16PM +0200, Matteo Riondato wrote:
 > This is fixed in RELENG_5 too, but not in RELENG_4.
 > It seems that it is possible to merge to RELENG_4 but I'm not
 > sure..If it's not, then this PR can be closed (or suspended)
 > Thank you
 > Best Regards
 > -- 
 > Rionda aka Matteo Riondato
 > Disinformato per default
 > G.U.F.I. Staff Member (http://www.gufi.org)
 > FreeSBIE Developer (http://www.freesbie.org)
State-Changed-From-To: patched->closed 
State-Changed-By: matteo 
State-Changed-When: Sun Jul 31 12:12:43 GMT 2005 
State-Changed-Why:  
Fixed, but won't be MFCed to RELENG_4 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34619 
>Unformatted:
