The branch stable/14 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=b1ed408e034655e89be91d91d5677f7e90224024
commit b1ed408e034655e89be91d91d5677f7e90224024 Author: Michael Tuexen <[email protected]> AuthorDate: 2025-11-03 10:50:49 +0000 Commit: Michael Tuexen <[email protected]> CommitDate: 2025-11-10 19:53:28 +0000 tcp: drop SYN ACK segment for listening sockets When a SYN ACK is received for a listening socket, just drop it instead of killing the SYN-cache entry and send a RST. This closes the possibility to kill a TCP connection during its handling in the SYN-cache. Reviewed by: Nick Banks, Peter Lei Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D53540 (cherry picked from commit 239464e99321ede07664782426ec4e54cd8a618d) --- sys/netinet/tcp_input.c | 5 ++--- sys/netinet/tcp_syncache.c | 17 ----------------- sys/netinet/tcp_syncache.h | 1 - 3 files changed, 2 insertions(+), 21 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 4a6f8d80f231..9dfd38d679e9 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1209,11 +1209,10 @@ tfo_socket_result: if (thflags & TH_ACK) { if ((s = tcp_log_addrs(&inc, th, NULL, NULL))) log(LOG_DEBUG, "%s; %s: Listen socket: " - "SYN|ACK invalid, segment rejected\n", + "SYN|ACK invalid, segment ignored\n", s, __func__); - syncache_badack(&inc, port); /* XXX: Not needed! */ TCPSTAT_INC(tcps_badsyn); - goto dropwithreset; + goto dropunlock; } /* * If the drop_synfin option is enabled, drop all diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 713f6a35ad45..376a5d958504 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -720,23 +720,6 @@ done: SCH_UNLOCK(sch); } -void -syncache_badack(struct in_conninfo *inc, uint16_t port) -{ - struct syncache *sc; - struct syncache_head *sch; - - if (syncache_cookiesonly()) - return; - sc = syncache_lookup(inc, &sch); /* returns locked sch */ - SCH_LOCK_ASSERT(sch); - if ((sc != NULL) && (sc->sc_port == port)) { - syncache_drop(sc, sch); - TCPSTAT_INC(tcps_sc_badack); - } - SCH_UNLOCK(sch); -} - void syncache_unreach(struct in_conninfo *inc, tcp_seq th_seq, uint16_t port) { diff --git a/sys/netinet/tcp_syncache.h b/sys/netinet/tcp_syncache.h index 9445940bcec5..b188e6ad2ab6 100644 --- a/sys/netinet/tcp_syncache.h +++ b/sys/netinet/tcp_syncache.h @@ -47,7 +47,6 @@ struct socket * syncache_add(struct in_conninfo *, struct tcpopt *, void *, void *, uint8_t, uint16_t); void syncache_chkrst(struct in_conninfo *, struct tcphdr *, struct mbuf *, uint16_t); -void syncache_badack(struct in_conninfo *, uint16_t); int syncache_pcblist(struct sysctl_req *); struct syncache {
