FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case

To:	davem@xxxxxxxxxx, ak@xxxxxx, kuznet@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx, Alan.Cox@xxxxxxxxx
Subject:	FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case
From:	Martin Pool <mbp@xxxxxxxxx>
Date:	Wed, 18 Sep 2002 12:03:49 +1000
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.4i

(Sorry for spamming people directly; my list message didn't get a
reply and it's a serious bug in some circumstances.)

I've discovered a bug in Linux 2.2 that allows TCP sockets to get
stuck in FIN_WAIT1 with no timeout or retransmissions.  Code to
demonstrate the problem, plus  a tcpdump of it happening, is
attached.  There are more details about what's going on, as I
understand it, in the headers.

I suspect there is a mishandling of sk->nonagle==2 in tcp_send_test(),
but I have not yet puzzled out the code enough to say exactly what it
is.  I think basically the handling of a closing socket that still has
corks set is broken.

You might argue that this is a security bug because it allows local
users to consume arbitrarily large (?)  kernel resources, and in some
cases the resources cannot be released without a reboot.  (Or perhaps
a spoofed RST packet would fix it too.)

-- 
Martin

corked_demo.c
Description: Text Data

corked_tcpdump.txt
Description: Text document

corked-out-20020917-2009
Description: Text document

<Prev in Thread]	Current Thread	[Next in Thread>
FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Martin Pool <= Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Martin Pool Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Alexey Kuznetsov Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Martin Pool Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, kuznet Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Martin Pool Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Alan Cox Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, Martin Pool

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: bonding vs 802.3ad/Cisco EtherChannel link agregation, jamal
Next by Date:	Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller
Previous by Thread:	[Fwd: Info: NAPI performance at "low" loads], Andrew Morton
Next by Thread:	Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: bonding vs 802.3ad/Cisco EtherChannel link agregation, jamal

Next by Date:

Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller

Previous by Thread:

[Fwd: Info: NAPI performance at "low" loads], Andrew Morton

Next by Thread:

Re: FIN_WAIT1 / TCP_CORK / 2.2 -- reproducible bug and test case, David S. Miller

Indexes:

[Date] [Thread] [Top] [All Lists]