tcp: improve SEG.ACK validation in SYN-RECEIVED

tuexen · tuexen · commit 8af2f06a99b1 · 2025-10-06T22:43:11.000+02:00
According to the fifth step in SEGMENT ARRIVES, send a RST segment in response to an ACK segment which fails the SEG.ACK check, but leave the endpoint state unchanged. FreeBSD handles this correctly when entering the SYN-RECEIVED state via the SYN-SENT state, but not in the SYN-cache code, which handles the SYN-RECEIVED state via the LISTEN state. This also fixes a panic reported by Alexander Leidinger. Reviewed by: jtl, glebius MFC after: 3 days Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D52934
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
@@ -1285,7 +1285,8 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 				    "segment rejected\n",
 				    s, __func__, th->th_ack, sc->sc_iss + 1);
 			SCH_UNLOCK(sch);
-			goto failed;
+			free(s, M_TCPLOG);
+			return (0);  /* Do send RST, do not free sc. */;
 		}
 
 		TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);

Original file line number	Diff line number	Diff line change
`@@ -1285,7 +1285,8 @@ syncache_expand(struct in_conninfo inc, struct tcpopt to, struct tcphdr *th,`
`1285`	`1285`	`"segment rejected\n",`
`1286`	`1286`	`s, __func__, th->th_ack, sc->sc_iss + 1);`
`1287`	`1287`	`SCH_UNLOCK(sch);`
`1288`		`- goto failed;`
	`1288`	`+ free(s, M_TCPLOG);`
	`1289`	`+ return (0); /* Do send RST, do not free sc. */;`
`1289`	`1290`	`}`
`1290`	`1291`
`1291`	`1292`	`TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);`