kern/46304: TCP can incorrectly update the advertised window (tp->snd_wnd)

[dennis.c.ferguson%gmail.com@localhost]

>Number:         46304
>Category:       kern
>Synopsis:       TCP can incorrectly update the advertised window (tp->snd_wnd)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 06 18:20:00 +0000 2012
>Originator:     Dennis Ferguson
>Release:        5.99.52
>Organization:
>Environment:
NetBSD timerxxx.juniper.net 5.99.52 NetBSD 5.99.52 (GENERIC) #41: Wed Feb  8 
08:53:09 UTC 2012  
dennis%timerxxx.juniper.net@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC 
amd64
>Description:
There is a bug in netinet/tcp_input.c which can cause it to decrement the 
unsigned variable tp->snd_wnd below zero.  This causes tcp_output() to think a 
zero advertised window is in fact a very huge advertised window, which can 
result in it sending many packets outside the window of the neighbor.

See the tech-net%netbsd.org@localhost thread starting here:

    http://mail-index.NetBSD.org/tech-net/2012/04/01/msg003203.html

My analysis of the problem is here:

    http://mail-index.NetBSD.org/tech-net/2012/04/04/msg003218.html

Some should fix this.  I'm filing this so the problem doesn't get lost.
>How-To-Repeat:
See above.  It happens when a TCP packet is received which simultaneously ack's 
data outside the window advertised in a previous packet, and which carries old, 
retransmitted data.
>Fix:
Either:

(1) Do what FreeBSD seems to have done.  Make it believe and copy the 
advertised window from any packet which ack's new data, even if the packet is 
carrying retransmitted data.

or:

(2) Avoid decrementing tp->snd_wnd below zero, or make it a signed variable and 
treat a negative value the same as zero.