1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-14 10:09:48 +00:00

When an ACK segment as the third message of the three way handshake is

received and support for time stamps was negotiated in the SYN/SYNACK
exchange, perform the PAWS check and only expand the syn cache entry if
the check is passed.
Without this check, endpoints may get stuck on the incomplete queue.

Reviewed by:		jtl@
MFC after:		3 days
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D20374
This commit is contained in:
Michael Tuexen 2019-05-26 17:18:14 +00:00
parent 0b30b98f26
commit bc35229fad
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=348290

View File

@ -1142,6 +1142,28 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
}
}
#endif /* TCP_SIGNATURE */
/*
* RFC 7323 PAWS: If we have a timestamp on this segment and
* it's less than ts_recent, drop it.
* XXXMT: RFC 7323 also requires to send an ACK.
* In tcp_input.c this is only done for TCP segments
* with user data, so be consistent here and just drop
* the segment.
*/
if (sc->sc_flags & SCF_TIMESTAMP && to->to_flags & TOF_TS &&
TSTMP_LT(to->to_tsval, sc->sc_tsreflect)) {
SCH_UNLOCK(sch);
if ((s = tcp_log_addrs(inc, th, NULL, NULL))) {
log(LOG_DEBUG,
"%s; %s: SEG.TSval %u < TS.Recent %u, "
"segment dropped\n", s, __func__,
to->to_tsval, sc->sc_tsreflect);
free(s, M_TCPLOG);
}
return (-1); /* Do not send RST */
}
/*
* Pull out the entry to unlock the bucket row.
*