2 * INET An implementation of the TCP/IP protocol suite for the LINUX
3 * operating system. INET is implemented using the BSD Socket
4 * interface as the means of communication with the user level.
6 * Implementation of the Transmission Control Protocol(TCP).
9 * Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
10 * Mark Evans, <evansmp@uhura.aston.ac.uk>
11 * Corey Minyard <wf-rch!minyard@relay.EU.net>
12 * Florian La Roche, <flla@stud.uni-sb.de>
13 * Charles Hedrick, <hedrick@klinzhai.rutgers.edu>
14 * Linus Torvalds, <torvalds@cs.helsinki.fi>
15 * Alan Cox, <gw4pts@gw4pts.ampr.org>
16 * Matthew Dillon, <dillon@apollo.west.oic.com>
17 * Arnt Gulbrandsen, <agulbra@nvg.unit.no>
18 * Jorge Cwik, <jorge@laser.satlink.net>
22 #include <linux/module.h>
23 #include <linux/slab.h>
24 #include <linux/sysctl.h>
25 #include <linux/workqueue.h>
27 #include <net/inet_common.h>
30 int sysctl_tcp_abort_on_overflow __read_mostly;
32 struct inet_timewait_death_row tcp_death_row = {
33 .sysctl_max_tw_buckets = NR_FILE * 2,
34 .hashinfo = &tcp_hashinfo,
36 EXPORT_SYMBOL_GPL(tcp_death_row);
38 static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
42 if (after(end_seq, s_win) && before(seq, e_win))
44 return seq == e_win && seq == end_seq;
47 static enum tcp_tw_status
48 tcp_timewait_check_oow_rate_limit(struct inet_timewait_sock *tw,
49 const struct sk_buff *skb, int mib_idx)
51 struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
53 if (!tcp_oow_rate_limited(twsk_net(tw), skb, mib_idx,
54 &tcptw->tw_last_oow_ack_time)) {
55 /* Send ACK. Note, we do not put the bucket,
56 * it will be released by caller.
61 /* We are rate-limiting, so just release the tw sock and drop skb. */
63 return TCP_TW_SUCCESS;
67 * * Main purpose of TIME-WAIT state is to close connection gracefully,
68 * when one of ends sits in LAST-ACK or CLOSING retransmitting FIN
69 * (and, probably, tail of data) and one or more our ACKs are lost.
70 * * What is TIME-WAIT timeout? It is associated with maximal packet
71 * lifetime in the internet, which results in wrong conclusion, that
72 * it is set to catch "old duplicate segments" wandering out of their path.
73 * It is not quite correct. This timeout is calculated so that it exceeds
74 * maximal retransmission timeout enough to allow to lose one (or more)
75 * segments sent by peer and our ACKs. This time may be calculated from RTO.
76 * * When TIME-WAIT socket receives RST, it means that another end
77 * finally closed and we are allowed to kill TIME-WAIT too.
78 * * Second purpose of TIME-WAIT is catching old duplicate segments.
79 * Well, certainly it is pure paranoia, but if we load TIME-WAIT
80 * with this semantics, we MUST NOT kill TIME-WAIT state with RSTs.
81 * * If we invented some more clever way to catch duplicates
82 * (f.e. based on PAWS), we could truncate TIME-WAIT to several RTOs.
84 * The algorithm below is based on FORMAL INTERPRETATION of RFCs.
85 * When you compare it to RFCs, please, read section SEGMENT ARRIVES
86 * from the very beginning.
88 * NOTE. With recycling (and later with fin-wait-2) TW bucket
89 * is _not_ stateless. It means, that strictly speaking we must
90 * spinlock it. I do not want! Well, probability of misbehaviour
91 * is ridiculously low and, seems, we could use some mb() tricks
92 * to avoid misread sequence numbers, states etc. --ANK
94 * We don't need to initialize tmp_out.sack_ok as we don't use the results
97 tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
98 const struct tcphdr *th)
100 struct tcp_options_received tmp_opt;
101 struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
102 bool paws_reject = false;
104 tmp_opt.saw_tstamp = 0;
105 if (th->doff > (sizeof(*th) >> 2) && tcptw->tw_ts_recent_stamp) {
106 tcp_parse_options(skb, &tmp_opt, 0, NULL);
108 if (tmp_opt.saw_tstamp) {
109 tmp_opt.rcv_tsecr -= tcptw->tw_ts_offset;
110 tmp_opt.ts_recent = tcptw->tw_ts_recent;
111 tmp_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
112 paws_reject = tcp_paws_reject(&tmp_opt, th->rst);
116 if (tw->tw_substate == TCP_FIN_WAIT2) {
117 /* Just repeat all the checks of tcp_rcv_state_process() */
119 /* Out of window, send ACK */
121 !tcp_in_window(TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq,
123 tcptw->tw_rcv_nxt + tcptw->tw_rcv_wnd))
124 return tcp_timewait_check_oow_rate_limit(
125 tw, skb, LINUX_MIB_TCPACKSKIPPEDFINWAIT2);
130 if (th->syn && !before(TCP_SKB_CB(skb)->seq, tcptw->tw_rcv_nxt))
135 !after(TCP_SKB_CB(skb)->end_seq, tcptw->tw_rcv_nxt) ||
136 TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq) {
138 return TCP_TW_SUCCESS;
141 /* New data or FIN. If new data arrive after half-duplex close,
145 TCP_SKB_CB(skb)->end_seq != tcptw->tw_rcv_nxt + 1)
148 /* FIN arrived, enter true time-wait state. */
149 tw->tw_substate = TCP_TIME_WAIT;
150 tcptw->tw_rcv_nxt = TCP_SKB_CB(skb)->end_seq;
151 if (tmp_opt.saw_tstamp) {
152 tcptw->tw_ts_recent_stamp = get_seconds();
153 tcptw->tw_ts_recent = tmp_opt.rcv_tsval;
156 if (tcp_death_row.sysctl_tw_recycle &&
157 tcptw->tw_ts_recent_stamp &&
158 tcp_tw_remember_stamp(tw))
159 inet_twsk_reschedule(tw, tw->tw_timeout);
161 inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
166 * Now real TIME-WAIT state.
169 * "When a connection is [...] on TIME-WAIT state [...]
170 * [a TCP] MAY accept a new SYN from the remote TCP to
171 * reopen the connection directly, if it:
173 * (1) assigns its initial sequence number for the new
174 * connection to be larger than the largest sequence
175 * number it used on the previous connection incarnation,
178 * (2) returns to TIME-WAIT state if the SYN turns out
179 * to be an old duplicate".
183 (TCP_SKB_CB(skb)->seq == tcptw->tw_rcv_nxt &&
184 (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq || th->rst))) {
185 /* In window segment, it may be only reset or bare ack. */
188 /* This is TIME_WAIT assassination, in two flavors.
189 * Oh well... nobody has a sufficient solution to this
192 if (sysctl_tcp_rfc1337 == 0) {
194 inet_twsk_deschedule_put(tw);
195 return TCP_TW_SUCCESS;
198 inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
201 if (tmp_opt.saw_tstamp) {
202 tcptw->tw_ts_recent = tmp_opt.rcv_tsval;
203 tcptw->tw_ts_recent_stamp = get_seconds();
207 return TCP_TW_SUCCESS;
210 /* Out of window segment.
212 All the segments are ACKed immediately.
214 The only exception is new SYN. We accept it, if it is
215 not old duplicate and we are not in danger to be killed
216 by delayed old duplicates. RFC check is that it has
217 newer sequence number works at rates <40Mbit/sec.
218 However, if paws works, it is reliable AND even more,
219 we even may relax silly seq space cutoff.
221 RED-PEN: we violate main RFC requirement, if this SYN will appear
222 old duplicate (i.e. we receive RST in reply to SYN-ACK),
223 we must return socket to time-wait state. It is not good,
227 if (th->syn && !th->rst && !th->ack && !paws_reject &&
228 (after(TCP_SKB_CB(skb)->seq, tcptw->tw_rcv_nxt) ||
229 (tmp_opt.saw_tstamp &&
230 (s32)(tcptw->tw_ts_recent - tmp_opt.rcv_tsval) < 0))) {
231 u32 isn = tcptw->tw_snd_nxt + 65535 + 2;
234 TCP_SKB_CB(skb)->tcp_tw_isn = isn;
239 __NET_INC_STATS(twsk_net(tw), LINUX_MIB_PAWSESTABREJECTED);
242 /* In this case we must reset the TIMEWAIT timer.
244 * If it is ACKless SYN it may be both old duplicate
245 * and new good SYN with random sequence number <rcv_nxt.
246 * Do not reschedule in the last case.
248 if (paws_reject || th->ack)
249 inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
251 return tcp_timewait_check_oow_rate_limit(
252 tw, skb, LINUX_MIB_TCPACKSKIPPEDTIMEWAIT);
255 return TCP_TW_SUCCESS;
257 EXPORT_SYMBOL(tcp_timewait_state_process);
260 * Move a socket to time-wait or dead fin-wait-2 state.
262 void tcp_time_wait(struct sock *sk, int state, int timeo)
264 const struct inet_connection_sock *icsk = inet_csk(sk);
265 const struct tcp_sock *tp = tcp_sk(sk);
266 struct inet_timewait_sock *tw;
267 bool recycle_ok = false;
269 if (tcp_death_row.sysctl_tw_recycle && tp->rx_opt.ts_recent_stamp)
270 recycle_ok = tcp_remember_stamp(sk);
272 tw = inet_twsk_alloc(sk, &tcp_death_row, state);
275 struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
276 const int rto = (icsk->icsk_rto << 2) - (icsk->icsk_rto >> 1);
277 struct inet_sock *inet = inet_sk(sk);
279 tw->tw_transparent = inet->transparent;
280 tw->tw_rcv_wscale = tp->rx_opt.rcv_wscale;
281 tcptw->tw_rcv_nxt = tp->rcv_nxt;
282 tcptw->tw_snd_nxt = tp->snd_nxt;
283 tcptw->tw_rcv_wnd = tcp_receive_window(tp);
284 tcptw->tw_ts_recent = tp->rx_opt.ts_recent;
285 tcptw->tw_ts_recent_stamp = tp->rx_opt.ts_recent_stamp;
286 tcptw->tw_ts_offset = tp->tsoffset;
287 tcptw->tw_last_oow_ack_time = 0;
289 #if IS_ENABLED(CONFIG_IPV6)
290 if (tw->tw_family == PF_INET6) {
291 struct ipv6_pinfo *np = inet6_sk(sk);
293 tw->tw_v6_daddr = sk->sk_v6_daddr;
294 tw->tw_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
295 tw->tw_tclass = np->tclass;
296 tw->tw_flowlabel = be32_to_cpu(np->flow_label & IPV6_FLOWLABEL_MASK);
297 tw->tw_ipv6only = sk->sk_ipv6only;
301 #ifdef CONFIG_TCP_MD5SIG
303 * The timewait bucket does not have the key DB from the
304 * sock structure. We just make a quick copy of the
305 * md5 key being used (if indeed we are using one)
306 * so the timewait ack generating code has the key.
309 struct tcp_md5sig_key *key;
310 tcptw->tw_md5_key = NULL;
311 key = tp->af_specific->md5_lookup(sk, sk);
313 tcptw->tw_md5_key = kmemdup(key, sizeof(*key), GFP_ATOMIC);
314 if (tcptw->tw_md5_key && !tcp_alloc_md5sig_pool())
320 /* Get the TIME_WAIT timeout firing. */
325 tw->tw_timeout = rto;
327 tw->tw_timeout = TCP_TIMEWAIT_LEN;
328 if (state == TCP_TIME_WAIT)
329 timeo = TCP_TIMEWAIT_LEN;
332 /* tw_timer is pinned, so we need to make sure BH are disabled
333 * in following section, otherwise timer handler could run before
334 * we complete the initialization.
337 inet_twsk_schedule(tw, timeo);
338 /* Linkage updates. */
339 __inet_twsk_hashdance(tw, sk, &tcp_hashinfo);
343 /* Sorry, if we're out of memory, just CLOSE this
344 * socket up. We've got bigger problems than
345 * non-graceful socket closings.
347 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEWAITOVERFLOW);
350 tcp_update_metrics(sk);
354 void tcp_twsk_destructor(struct sock *sk)
356 #ifdef CONFIG_TCP_MD5SIG
357 struct tcp_timewait_sock *twsk = tcp_twsk(sk);
359 if (twsk->tw_md5_key)
360 kfree_rcu(twsk->tw_md5_key, rcu);
363 EXPORT_SYMBOL_GPL(tcp_twsk_destructor);
365 /* Warning : This function is called without sk_listener being locked.
366 * Be sure to read socket fields once, as their value could change under us.
368 void tcp_openreq_init_rwin(struct request_sock *req,
369 const struct sock *sk_listener,
370 const struct dst_entry *dst)
372 struct inet_request_sock *ireq = inet_rsk(req);
373 const struct tcp_sock *tp = tcp_sk(sk_listener);
374 u16 user_mss = READ_ONCE(tp->rx_opt.user_mss);
375 int full_space = tcp_full_space(sk_listener);
376 int mss = dst_metric_advmss(dst);
380 if (user_mss && user_mss < mss)
383 window_clamp = READ_ONCE(tp->window_clamp);
384 /* Set this up on the first call only */
385 req->rsk_window_clamp = window_clamp ? : dst_metric(dst, RTAX_WINDOW);
387 /* limit the window selection if the user enforce a smaller rx buffer */
388 if (sk_listener->sk_userlocks & SOCK_RCVBUF_LOCK &&
389 (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0))
390 req->rsk_window_clamp = full_space;
392 /* tcp_full_space because it is guaranteed to be the first packet */
393 tcp_select_initial_window(full_space,
394 mss - (ireq->tstamp_ok ? TCPOLEN_TSTAMP_ALIGNED : 0),
396 &req->rsk_window_clamp,
399 dst_metric(dst, RTAX_INITRWND));
400 ireq->rcv_wscale = rcv_wscale;
402 EXPORT_SYMBOL(tcp_openreq_init_rwin);
404 static void tcp_ecn_openreq_child(struct tcp_sock *tp,
405 const struct request_sock *req)
407 tp->ecn_flags = inet_rsk(req)->ecn_ok ? TCP_ECN_OK : 0;
410 void tcp_ca_openreq_child(struct sock *sk, const struct dst_entry *dst)
412 struct inet_connection_sock *icsk = inet_csk(sk);
413 u32 ca_key = dst_metric(dst, RTAX_CC_ALGO);
414 bool ca_got_dst = false;
416 if (ca_key != TCP_CA_UNSPEC) {
417 const struct tcp_congestion_ops *ca;
420 ca = tcp_ca_find_key(ca_key);
421 if (likely(ca && try_module_get(ca->owner))) {
422 icsk->icsk_ca_dst_locked = tcp_ca_dst_locked(dst);
423 icsk->icsk_ca_ops = ca;
429 /* If no valid choice made yet, assign current system default ca. */
431 (!icsk->icsk_ca_setsockopt ||
432 !try_module_get(icsk->icsk_ca_ops->owner)))
433 tcp_assign_congestion_control(sk);
435 tcp_set_ca_state(sk, TCP_CA_Open);
437 EXPORT_SYMBOL_GPL(tcp_ca_openreq_child);
439 /* This is not only more efficient than what we used to do, it eliminates
440 * a lot of code duplication between IPv4/IPv6 SYN recv processing. -DaveM
442 * Actually, we could lots of memory writes here. tp of listening
443 * socket contains all necessary default parameters.
445 struct sock *tcp_create_openreq_child(const struct sock *sk,
446 struct request_sock *req,
449 struct sock *newsk = inet_csk_clone_lock(sk, req, GFP_ATOMIC);
452 const struct inet_request_sock *ireq = inet_rsk(req);
453 struct tcp_request_sock *treq = tcp_rsk(req);
454 struct inet_connection_sock *newicsk = inet_csk(newsk);
455 struct tcp_sock *newtp = tcp_sk(newsk);
457 /* Now setup tcp_sock */
458 newtp->pred_flags = 0;
460 newtp->rcv_wup = newtp->copied_seq =
461 newtp->rcv_nxt = treq->rcv_isn + 1;
464 newtp->snd_sml = newtp->snd_una =
465 newtp->snd_nxt = newtp->snd_up = treq->snt_isn + 1;
467 tcp_prequeue_init(newtp);
468 INIT_LIST_HEAD(&newtp->tsq_node);
470 tcp_init_wl(newtp, treq->rcv_isn);
473 newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
474 minmax_reset(&newtp->rtt_min, tcp_time_stamp, ~0U);
475 newicsk->icsk_rto = TCP_TIMEOUT_INIT;
476 newicsk->icsk_ack.lrcvtime = tcp_time_stamp;
478 newtp->packets_out = 0;
479 newtp->retrans_out = 0;
480 newtp->sacked_out = 0;
481 newtp->fackets_out = 0;
482 newtp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
483 tcp_enable_early_retrans(newtp);
484 newtp->tlp_high_seq = 0;
485 newtp->lsndtime = treq->snt_synack.stamp_jiffies;
486 newsk->sk_txhash = treq->txhash;
487 newtp->last_oow_ack_time = 0;
488 newtp->total_retrans = req->num_retrans;
490 /* So many TCP implementations out there (incorrectly) count the
491 * initial SYN frame in their delayed-ACK and congestion control
492 * algorithms that we must have the following bandaid to talk
493 * efficiently to them. -DaveM
495 newtp->snd_cwnd = TCP_INIT_CWND;
496 newtp->snd_cwnd_cnt = 0;
498 /* There's a bubble in the pipe until at least the first ACK. */
499 newtp->app_limited = ~0U;
501 tcp_init_xmit_timers(newsk);
502 newtp->write_seq = newtp->pushed_seq = treq->snt_isn + 1;
504 newtp->rx_opt.saw_tstamp = 0;
506 newtp->rx_opt.dsack = 0;
507 newtp->rx_opt.num_sacks = 0;
511 if (sock_flag(newsk, SOCK_KEEPOPEN))
512 inet_csk_reset_keepalive_timer(newsk,
513 keepalive_time_when(newtp));
515 newtp->rx_opt.tstamp_ok = ireq->tstamp_ok;
516 if ((newtp->rx_opt.sack_ok = ireq->sack_ok) != 0) {
518 tcp_enable_fack(newtp);
520 newtp->window_clamp = req->rsk_window_clamp;
521 newtp->rcv_ssthresh = req->rsk_rcv_wnd;
522 newtp->rcv_wnd = req->rsk_rcv_wnd;
523 newtp->rx_opt.wscale_ok = ireq->wscale_ok;
524 if (newtp->rx_opt.wscale_ok) {
525 newtp->rx_opt.snd_wscale = ireq->snd_wscale;
526 newtp->rx_opt.rcv_wscale = ireq->rcv_wscale;
528 newtp->rx_opt.snd_wscale = newtp->rx_opt.rcv_wscale = 0;
529 newtp->window_clamp = min(newtp->window_clamp, 65535U);
531 newtp->snd_wnd = (ntohs(tcp_hdr(skb)->window) <<
532 newtp->rx_opt.snd_wscale);
533 newtp->max_window = newtp->snd_wnd;
535 if (newtp->rx_opt.tstamp_ok) {
536 newtp->rx_opt.ts_recent = req->ts_recent;
537 newtp->rx_opt.ts_recent_stamp = get_seconds();
538 newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED;
540 newtp->rx_opt.ts_recent_stamp = 0;
541 newtp->tcp_header_len = sizeof(struct tcphdr);
544 #ifdef CONFIG_TCP_MD5SIG
545 newtp->md5sig_info = NULL; /*XXX*/
546 if (newtp->af_specific->md5_lookup(sk, newsk))
547 newtp->tcp_header_len += TCPOLEN_MD5SIG_ALIGNED;
549 if (skb->len >= TCP_MSS_DEFAULT + newtp->tcp_header_len)
550 newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;
551 newtp->rx_opt.mss_clamp = req->mss;
552 tcp_ecn_openreq_child(newtp, req);
553 newtp->fastopen_req = NULL;
554 newtp->fastopen_rsk = NULL;
555 newtp->syn_data_acked = 0;
556 newtp->rack.mstamp.v64 = 0;
557 newtp->rack.advanced = 0;
559 __TCP_INC_STATS(sock_net(sk), TCP_MIB_PASSIVEOPENS);
563 EXPORT_SYMBOL(tcp_create_openreq_child);
566 * Process an incoming packet for SYN_RECV sockets represented as a
567 * request_sock. Normally sk is the listener socket but for TFO it
568 * points to the child socket.
570 * XXX (TFO) - The current impl contains a special check for ack
571 * validation and inside tcp_v4_reqsk_send_ack(). Can we do better?
573 * We don't need to initialize tmp_opt.sack_ok as we don't use the results
576 struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
577 struct request_sock *req,
580 struct tcp_options_received tmp_opt;
582 const struct tcphdr *th = tcp_hdr(skb);
583 __be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
584 bool paws_reject = false;
587 tmp_opt.saw_tstamp = 0;
588 if (th->doff > (sizeof(struct tcphdr)>>2)) {
589 tcp_parse_options(skb, &tmp_opt, 0, NULL);
591 if (tmp_opt.saw_tstamp) {
592 tmp_opt.ts_recent = req->ts_recent;
593 /* We do not store true stamp, but it is not required,
594 * it can be estimated (approximately)
597 tmp_opt.ts_recent_stamp = get_seconds() - ((TCP_TIMEOUT_INIT/HZ)<<req->num_timeout);
598 paws_reject = tcp_paws_reject(&tmp_opt, th->rst);
602 /* Check for pure retransmitted SYN. */
603 if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn &&
604 flg == TCP_FLAG_SYN &&
607 * RFC793 draws (Incorrectly! It was fixed in RFC1122)
608 * this case on figure 6 and figure 8, but formal
609 * protocol description says NOTHING.
610 * To be more exact, it says that we should send ACK,
611 * because this segment (at least, if it has no data)
614 * CONCLUSION: RFC793 (even with RFC1122) DOES NOT
615 * describe SYN-RECV state. All the description
616 * is wrong, we cannot believe to it and should
617 * rely only on common sense and implementation
620 * Enforce "SYN-ACK" according to figure 8, figure 6
621 * of RFC793, fixed by RFC1122.
623 * Note that even if there is new data in the SYN packet
624 * they will be thrown away too.
626 * Reset timer after retransmitting SYNACK, similar to
627 * the idea of fast retransmit in recovery.
629 if (!tcp_oow_rate_limited(sock_net(sk), skb,
630 LINUX_MIB_TCPACKSKIPPEDSYNRECV,
631 &tcp_rsk(req)->last_oow_ack_time) &&
633 !inet_rtx_syn_ack(sk, req)) {
634 unsigned long expires = jiffies;
636 expires += min(TCP_TIMEOUT_INIT << req->num_timeout,
639 mod_timer_pending(&req->rsk_timer, expires);
641 req->rsk_timer.expires = expires;
646 /* Further reproduces section "SEGMENT ARRIVES"
647 for state SYN-RECEIVED of RFC793.
648 It is broken, however, it does not work only
649 when SYNs are crossed.
651 You would think that SYN crossing is impossible here, since
652 we should have a SYN_SENT socket (from connect()) on our end,
653 but this is not true if the crossed SYNs were sent to both
654 ends by a malicious third party. We must defend against this,
655 and to do that we first verify the ACK (as per RFC793, page
656 36) and reset if it is invalid. Is this a true full defense?
657 To convince ourselves, let us consider a way in which the ACK
658 test can still pass in this 'malicious crossed SYNs' case.
659 Malicious sender sends identical SYNs (and thus identical sequence
660 numbers) to both A and B:
665 By our good fortune, both A and B select the same initial
666 send sequence number of seven :-)
668 A: sends SYN|ACK, seq=7, ack_seq=8
669 B: sends SYN|ACK, seq=7, ack_seq=8
671 So we are now A eating this SYN|ACK, ACK test passes. So
672 does sequence test, SYN is truncated, and thus we consider
675 If icsk->icsk_accept_queue.rskq_defer_accept, we silently drop this
676 bare ACK. Otherwise, we create an established connection. Both
677 ends (listening sockets) accept the new incoming connection and try
678 to talk to each other. 8-)
680 Note: This case is both harmless, and rare. Possibility is about the
681 same as us discovering intelligent life on another plant tomorrow.
683 But generally, we should (RFC lies!) to accept ACK
684 from SYNACK both here and in tcp_rcv_state_process().
685 tcp_rcv_state_process() does not, hence, we do not too.
687 Note that the case is absolutely generic:
688 we cannot optimize anything here without
689 violating protocol. All the checks must be made
690 before attempt to create socket.
693 /* RFC793 page 36: "If the connection is in any non-synchronized state ...
694 * and the incoming segment acknowledges something not yet
695 * sent (the segment carries an unacceptable ACK) ...
698 * Invalid ACK: reset will be sent by listening socket.
699 * Note that the ACK validity check for a Fast Open socket is done
700 * elsewhere and is checked directly against the child socket rather
701 * than req because user data may have been sent out.
703 if ((flg & TCP_FLAG_ACK) && !fastopen &&
704 (TCP_SKB_CB(skb)->ack_seq !=
705 tcp_rsk(req)->snt_isn + 1))
708 /* Also, it would be not so bad idea to check rcv_tsecr, which
709 * is essentially ACK extension and too early or too late values
710 * should cause reset in unsynchronized states.
713 /* RFC793: "first check sequence number". */
715 if (paws_reject || !tcp_in_window(TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq,
716 tcp_rsk(req)->rcv_nxt, tcp_rsk(req)->rcv_nxt + req->rsk_rcv_wnd)) {
717 /* Out of window: send ACK and drop. */
718 if (!(flg & TCP_FLAG_RST) &&
719 !tcp_oow_rate_limited(sock_net(sk), skb,
720 LINUX_MIB_TCPACKSKIPPEDSYNRECV,
721 &tcp_rsk(req)->last_oow_ack_time))
722 req->rsk_ops->send_ack(sk, skb, req);
724 __NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);
728 /* In sequence, PAWS is OK. */
730 if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt))
731 req->ts_recent = tmp_opt.rcv_tsval;
733 if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) {
734 /* Truncate SYN, it is out of window starting
735 at tcp_rsk(req)->rcv_isn + 1. */
736 flg &= ~TCP_FLAG_SYN;
739 /* RFC793: "second check the RST bit" and
740 * "fourth, check the SYN bit"
742 if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN)) {
743 __TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);
744 goto embryonic_reset;
747 /* ACK sequence verified above, just make sure ACK is
748 * set. If ACK not set, just silently drop the packet.
750 * XXX (TFO) - if we ever allow "data after SYN", the
751 * following check needs to be removed.
753 if (!(flg & TCP_FLAG_ACK))
756 /* For Fast Open no more processing is needed (sk is the
762 /* While TCP_DEFER_ACCEPT is active, drop bare ACK. */
763 if (req->num_timeout < inet_csk(sk)->icsk_accept_queue.rskq_defer_accept &&
764 TCP_SKB_CB(skb)->end_seq == tcp_rsk(req)->rcv_isn + 1) {
765 inet_rsk(req)->acked = 1;
766 __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPDEFERACCEPTDROP);
770 /* OK, ACK is valid, create big socket and
771 * feed this segment to it. It will repeat all
772 * the tests. THIS SEGMENT MUST MOVE SOCKET TO
773 * ESTABLISHED STATE. If it will be dropped after
774 * socket is created, wait for troubles.
776 child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
779 goto listen_overflow;
781 sock_rps_save_rxhash(child, skb);
782 tcp_synack_rtt_meas(child, req);
783 return inet_csk_complete_hashdance(sk, child, req, own_req);
786 if (!sysctl_tcp_abort_on_overflow) {
787 inet_rsk(req)->acked = 1;
792 if (!(flg & TCP_FLAG_RST)) {
793 /* Received a bad SYN pkt - for TFO We try not to reset
794 * the local connection unless it's really necessary to
795 * avoid becoming vulnerable to outside attack aiming at
796 * resetting legit local connections.
798 req->rsk_ops->send_reset(sk, skb);
799 } else if (fastopen) { /* received a valid RST pkt */
800 reqsk_fastopen_remove(sk, req, true);
804 inet_csk_reqsk_queue_drop(sk, req);
805 __NET_INC_STATS(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
809 EXPORT_SYMBOL(tcp_check_req);
812 * Queue segment on the new socket if the new socket is active,
813 * otherwise we just shortcircuit this and continue with
816 * For the vast majority of cases child->sk_state will be TCP_SYN_RECV
817 * when entering. But other states are possible due to a race condition
818 * where after __inet_lookup_established() fails but before the listener
819 * locked is obtained, other packets cause the same connection to
823 int tcp_child_process(struct sock *parent, struct sock *child,
827 int state = child->sk_state;
829 tcp_segs_in(tcp_sk(child), skb);
830 if (!sock_owned_by_user(child)) {
831 ret = tcp_rcv_state_process(child, skb);
832 /* Wakeup parent, send SIGIO */
833 if (state == TCP_SYN_RECV && child->sk_state != state)
834 parent->sk_data_ready(parent);
836 /* Alas, it is possible again, because we do lookup
837 * in main socket hash table and lock on listening
838 * socket does not protect us more.
840 __sk_add_backlog(child, skb);
843 bh_unlock_sock(child);
847 EXPORT_SYMBOL(tcp_child_process);
projects / releases.git / blob