Author: tuexen Date: Thu Oct 3 12:26:55 2019 New Revision: 353040 URL: https://svnweb.freebsd.org/changeset/base/353040
Log: MFS r352673: When the RACK stack computes the space for user data in a TCP segment, it wasn't taking the IP level options into account. This patch fixes this. In addition, it also corrects a KASSERT and adds protection code to assure that the IP header chain and the TCP head fit in the first fragment as required by RFC 7112. MFS: r353035: RFC 7112 requires a host to put the complete IP header chain including the TCP header in the first IP packet. Enforce this in tcp_output(). In addition make sure that at least one byte payload fits in the TCP segement to allow making progress. Without this check, a kernel with INVARIANTS will panic. This issue was found by running an instance of syzkaller. Approved by: re (kib@) Reviewed by: rrs@ (r352673), jtl@ (r353035) Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D21665 Differential Revision: https://reviews.freebsd.org/D21666 Modified: releng/12.1/sys/netinet/tcp_output.c releng/12.1/sys/netinet/tcp_stacks/rack.c Directory Properties: releng/12.1/ (props changed) Modified: releng/12.1/sys/netinet/tcp_output.c ============================================================================== --- releng/12.1/sys/netinet/tcp_output.c Thu Oct 3 11:23:10 2019 (r353039) +++ releng/12.1/sys/netinet/tcp_output.c Thu Oct 3 12:26:55 2019 (r353040) @@ -931,6 +931,20 @@ send: if (tp->t_flags & TF_NEEDFIN) sendalot = 1; } else { + if (optlen + ipoptlen >= tp->t_maxseg) { + /* + * Since we don't have enough space to put + * the IP header chain and the TCP header in + * one packet as required by RFC 7112, don't + * send it. Also ensure that at least one + * byte of the payload can be put into the + * TCP segment. + */ + SOCKBUF_UNLOCK(&so->so_snd); + error = EMSGSIZE; + sack_rxmit = 0; + goto out; + } len = tp->t_maxseg - optlen - ipoptlen; sendalot = 1; if (dont_sendalot) Modified: releng/12.1/sys/netinet/tcp_stacks/rack.c ============================================================================== --- releng/12.1/sys/netinet/tcp_stacks/rack.c Thu Oct 3 11:23:10 2019 (r353039) +++ releng/12.1/sys/netinet/tcp_stacks/rack.c Thu Oct 3 12:26:55 2019 (r353040) @@ -7872,7 +7872,16 @@ send: hdrlen += sizeof(struct udphdr); } #endif - ipoptlen = 0; +#ifdef INET6 + if (isipv6) + ipoptlen = ip6_optlen(tp->t_inpcb); + else +#endif + if (tp->t_inpcb->inp_options) + ipoptlen = tp->t_inpcb->inp_options->m_len - + offsetof(struct ipoption, ipopt_list); + else + ipoptlen = 0; #if defined(IPSEC) || defined(IPSEC_SUPPORT) ipoptlen += ipsec_optlen; #endif @@ -7945,6 +7954,20 @@ send: sendalot = 1; } else { + if (optlen + ipoptlen >= tp->t_maxseg) { + /* + * Since we don't have enough space to put + * the IP header chain and the TCP header in + * one packet as required by RFC 7112, don't + * send it. Also ensure that at least one + * byte of the payload can be put into the + * TCP segment. + */ + SOCKBUF_UNLOCK(&so->so_snd); + error = EMSGSIZE; + sack_rxmit = 0; + goto out; + } len = tp->t_maxseg - optlen - ipoptlen; sendalot = 1; } @@ -8438,15 +8461,9 @@ send: m->m_pkthdr.csum_flags |= CSUM_TSO; m->m_pkthdr.tso_segsz = tp->t_maxseg - optlen; } -#if defined(IPSEC) || defined(IPSEC_SUPPORT) - KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL), - ("%s: mbuf chain shorter than expected: %d + %u + %u - %u != %u", - __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL))); -#else - KASSERT(len + hdrlen + ipoptlen == m_length(m, NULL), - ("%s: mbuf chain shorter than expected: %d + %u + %u != %u", - __func__, len, hdrlen, ipoptlen, m_length(m, NULL))); -#endif + KASSERT(len + hdrlen == m_length(m, NULL), + ("%s: mbuf chain different than expected: %d + %u != %u", + __func__, len, hdrlen, m_length(m, NULL))); #ifdef TCP_HHOOK /* Run HHOOK_TCP_ESTABLISHED_OUT helper hooks. */ _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"