tech-net: Re: Odd crashes in tcp

Subject: Re: Odd crashes in tcp_output (2.0ish)
To: Greg Troxel <gdt@ir.bbn.com>
From: Charles M. Hannum <abuse@spamalicious.com>
List: tech-net
Date: 01/26/2005 17:37:44

On Wednesday 26 January 2005 16:43, Greg Troxel wrote:

> Any clues?  Is this a trashed tcp control block, or did a negative rtt
> creep in somehow?  Should the RTT-computing logic check for
> preposterous RTTs (takes unsigned, but as far as I can tell must
> tcp_xmit_timer have got -9 as an argument.

I believe this may happen because we don't do enough range checking in the 
RFC1323 case.  To wit:

                                if (opti.ts_present && opti.ts_ecr)
                                        tcp_xmit_timer(tp,
                                          TCP_TIMESTAMP(tp) - opti.ts_ecr + 
1);
...
                if (opti.ts_present && opti.ts_ecr)
                        tcp_xmit_timer(tp, TCP_TIMESTAMP(tp) - opti.ts_ecr + 
1);

If the other side screws with the echoed time stamp, it could cause us to 
calculate a negative RTT.

Unfortunately, turning off net.inet.tcp.rfc1323 will probably not work as a 
workaround, because it does not disable *reception* of time stamp options.