From nobody@FreeBSD.org  Thu Nov  3 12:48:11 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C26B916A420
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  3 Nov 2005 12:48:02 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4846D43D60
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  3 Nov 2005 12:48:02 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jA3Cm2TM094049
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 3 Nov 2005 12:48:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jA3Cm29W094048;
	Thu, 3 Nov 2005 12:48:02 GMT
	(envelope-from nobody)
Message-Id: <200511031248.jA3Cm29W094048@www.freebsd.org>
Date: Thu, 3 Nov 2005 12:48:02 GMT
From: Maxim Podberezny <diascan@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: SYN+ACK reports strange size of window
X-Send-Pr-Version: www-2.3

>Number:         88450
>Category:       kern
>Synopsis:       SYN+ACK reports strange size of window
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    andre
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 03 12:50:26 GMT 2005
>Closed-Date:    
>Last-Modified:  Tue Jan 24 18:26:04 GMT 2006
>Originator:     Maxim Podberezny
>Release:        4.11
>Organization:
Diascan
>Environment:
peculiar OS, uses FreeBSD TCP/IP stack 'as is'
>Description:
              I test a newly ported FreeBSD TCP/IP stack at our OS. Stack was ported 'as is'. The test is performed with ANVL test suite.
The problem is that one of ANVL test performes the follows:
1. ANVL sends SYN to DUT (target with our OS)
2. DUT sends SYN+ACK with Window_From_DUT=0x4000
3. ANVL sends ACK to DUT.

now the state of the connection is ESTABLISHED.

4. ANVL sends SYN packet to DUT with unacceptable sequence number.
ANVL calculates the sequence number as follows:
SEQ = Seq_From_DUT + Window_From_DUT + 2

ANVL expects from DUT to receive ACK with some sequence number, but it receives RST. I investigated the issue and found that the size of window is calculated in syncache_add()-function:
1.1          (jlemon   22-Nov-01):      /* Initial receive window: clip sbspace to [0 .. TCP_MAXWIN] */
1.1          (jlemon   22-Nov-01):      win = sbspace(&so->so_rcv);
1.1          (jlemon   22-Nov-01):      win = imax(win, 0);
1.1          (jlemon   22-Nov-01):      win = imin(win, TCP_MAXWIN);
1.1          (jlemon   22-Nov-01):      sc->sc_wnd = win;

and uses this value when send the SYN+ACK in syncache_respond():
1.1          (jlemon   22-Nov-01):      th->th_x2 = 0;
1.1          (jlemon   22-Nov-01):      th->th_flags = TH_SYN|TH_ACK;
1.1          (jlemon   22-Nov-01):      th->th_win = htons(sc->sc_wnd);
1.1          (jlemon   22-Nov-01):      th->th_urp = 0;

After DUT has sended the SYN+ACK and received the last ACK, the size of window changed to a value of 0x40e8 in tcp_input.c file.

So, finally the unacceptable sequence number from ANVL is accepted in by DUT window, since 0x40e8 is bigger than 0x4000+2. DUT sends RST instead of ACK packet.

The situation that the window size has changed is correct, I now, but why this size is also changed by another algorithm in another file absolutely independently?

Before syncache was developed the receive window size was calculated always in one file in tcp_input.c.
The chain was as follows:
tcp_input()
 |
 |->tcp_dooptions()
   |
   |->tcp_mss()
The latter function changed the window size keeping integrity of the value.
>How-To-Repeat:
              Establish a connection with FreeBSD and send SYN packet with sequence number bigger than in packet plus window and plus 2.
>Fix:
              If it's a bug or "wrong' issue I suggest to use the code from tcp_mss() function which was used earlier.

What do you think?
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Nov 3 14:45:54 GMT 2005 
Responsible-Changed-Why:  
This is definitely not a 'ports' problem, although I don't know exactly 
how to categorize it in this case ... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88450 
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: arved 
Responsible-Changed-When: Thu Nov 3 15:29:18 GMT 2005 
Responsible-Changed-Why:  
Over to -net for review 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88450 
Responsible-Changed-From-To: freebsd-net->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Tue Jan 24 18:25:48 UTC 2006 
Responsible-Changed-Why:  
take over. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88450 
>Unformatted:
