D52717.id54425.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D52717.id54425.diff
View Options

	diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
	--- a/sys/netinet/tcp_subr.c
	+++ b/sys/netinet/tcp_subr.c
	@@ -2148,14 +2148,16 @@
	}

	/*
	- * Send a challenge ack (no data, no SACK option), but not more than
	- * V_tcp_ack_war_cnt per V_tcp_ack_war_time_window (per TCP connection).
	+ * Check that no more than V_tcp_ack_war_cnt per V_tcp_ack_war_time_window
	+ * are sent. *epoch_end is the end of the current epoch and is updated, if the
	+ * current epoch ended in the past. *ack_cnt is the counter used during the
	+ * current epoch. It might be reset and incremented.
	+ * The function returns true if a challenge ACK should be sent.
	*/
	-void
	-tcp_send_challenge_ack(struct tcpcb tp, struct tcphdr th, struct mbuf *m)
	+bool
	+tcp_challenge_ack_check(sbintime_t epoch_end, uint32_t ack_cnt)
	{
	sbintime_t now;
	- bool send_challenge_ack;

	/*
	* The sending of a challenge ACK could be triggered by a blind attacker
	@@ -2164,29 +2166,39 @@
	* would have guessed wrongly.
	*/
	(void)badport_bandlim(BANDLIM_TCP_RST);
	+
	if (V_tcp_ack_war_time_window == 0 \|\| V_tcp_ack_war_cnt == 0) {
	/* ACK war protection is disabled. */
	- send_challenge_ack = true;
	+ return (true);
	} else {
	/* Start new epoch, if the previous one is already over. */
	now = getsbinuptime();
	- if (tp->t_challenge_ack_end < now) {
	- tp->t_challenge_ack_cnt = 0;
	- tp->t_challenge_ack_end = now +
	- V_tcp_ack_war_time_window * SBT_1MS;
	+ if (*epoch_end < now) {
	+ *ack_cnt = 0;
	+ epoch_end = now + V_tcp_ack_war_time_window SBT_1MS;
	}
	/*
	* Send a challenge ACK, if less than tcp_ack_war_cnt have been
	* sent in the current epoch.
	*/
	- if (tp->t_challenge_ack_cnt < V_tcp_ack_war_cnt) {
	- send_challenge_ack = true;
	- tp->t_challenge_ack_cnt++;
	+ if (*ack_cnt < V_tcp_ack_war_cnt) {
	+ (*ack_cnt)++;
	+ return (true);
	} else {
	- send_challenge_ack = false;
	+ return (false);
	}
	}
	- if (send_challenge_ack) {
	+}
	+
	+/*
	+ * Send a challenge ack (no data, no SACK option), but not more than
	+ * V_tcp_ack_war_cnt per V_tcp_ack_war_time_window (per TCP connection).
	+ */
	+void
	+tcp_send_challenge_ack(struct tcpcb tp, struct tcphdr th, struct mbuf *m)
	+{
	+ if (tcp_challenge_ack_check(&tp->t_challenge_ack_end,
	+ &tp->t_challenge_ack_cnt)) {
	tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
	tp->snd_nxt, TH_ACK);
	tp->last_ack_sent = tp->rcv_nxt;
	diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
	--- a/sys/netinet/tcp_var.h
	+++ b/sys/netinet/tcp_var.h
	@@ -1462,6 +1462,7 @@
	void tcp_state_change(struct tcpcb *, int);
	void tcp_respond(struct tcpcb , void ,
	struct tcphdr , struct mbuf , tcp_seq, tcp_seq, uint16_t);
	+bool tcp_challenge_ack_check(sbintime_t , uint32_t );
	void tcp_send_challenge_ack(struct tcpcb , struct tcphdr , struct mbuf *);
	bool tcp_twcheck(struct inpcb , struct tcpopt , struct tcphdr *,
	struct mbuf *, int);

File Metadata

Mime Type: text/plain
Expires: Mon, Feb 9, 2:24 AM (9 h, 11 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28525951
Default Alt Text: D52717.id54425.diff (2 KB)

D52717.id54425.diffNo OneTemporaryActions

D52717.id54425.diffView Options

File Metadata

Event Timeline

D52717.id54425.diff
No OneTemporary
Actions

D52717.id54425.diff
View Options