Use appropriate MSS value when populating the TCP FO client cookie cache

When a client receives a SYN-ACK segment with a TFP fast open cookie, but without an MSS option, an MSS value from uninitialised stack memory is used. This patch ensures that in case no MSS option is included in the SYN-ACK, the appropriate value as given in RFC 7413 is used. Reviewed by: kbowling@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D16175
2018-07-10 10:42:48 +00:00 · 2018-07-10 10:42:48 +00:00 · a026a53a76
commit a026a53a76
parent ad90dbb842
3 changed files with 48 additions and 12 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -1674,10 +1674,19 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so,
 		    (to.to_flags & TOF_SACKPERM) == 0)
 			tp->t_flags &= ~TF_SACK_PERMIT;
 		if (IS_FASTOPEN(tp->t_flags)) {
-			if (to.to_flags & TOF_FASTOPEN)
-				tcp_fastopen_update_cache(tp, to.to_mss,
+			if (to.to_flags & TOF_FASTOPEN) {
+				uint16_t mss;
+
+				if (to.to_flags & TOF_MSS)
+					mss = to.to_mss;
+				else
+					if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0)
+						mss = TCP6_MSS;
+					else
+						mss = TCP_MSS;
+				tcp_fastopen_update_cache(tp, mss,
 				    to.to_tfo_len, to.to_tfo_cookie);
-			else
+			} else
 				tcp_fastopen_disable_path(tp);
 		}
 	}
--- a/sys/netinet/tcp_stacks/fastpath.c
+++ b/sys/netinet/tcp_stacks/fastpath.c
@ -1763,10 +1763,19 @@ tcp_do_segment_fastslow(struct mbuf *m, struct tcphdr *th, struct socket *so,
 		    (to.to_flags & TOF_SACKPERM) == 0)
 			tp->t_flags &= ~TF_SACK_PERMIT;
 		if (IS_FASTOPEN(tp->t_flags)) {
-			if (to.to_flags & TOF_FASTOPEN)
-				tcp_fastopen_update_cache(tp, to.to_mss,
+			if (to.to_flags & TOF_FASTOPEN) {
+				uint16_t mss;
+
+				if (to.to_flags & TOF_MSS)
+					mss = to.to_mss;
+				else
+					if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0)
+						mss = TCP6_MSS;
+					else
+						mss = TCP_MSS;
+				tcp_fastopen_update_cache(tp, mss,
 				    to.to_tfo_len, to.to_tfo_cookie);
-			else
+			} else
 				tcp_fastopen_disable_path(tp);
 		}
 	}
@ -2220,10 +2229,19 @@ tcp_do_segment_fastack(struct mbuf *m, struct tcphdr *th, struct socket *so,
 		    (to.to_flags & TOF_SACKPERM) == 0)
 			tp->t_flags &= ~TF_SACK_PERMIT;
 		if (IS_FASTOPEN(tp->t_flags)) {
-			if (to.to_flags & TOF_FASTOPEN)
-				tcp_fastopen_update_cache(tp, to.to_mss,
+			if (to.to_flags & TOF_FASTOPEN) {
+				uint16_t mss;
+
+				if (to.to_flags & TOF_MSS)
+					mss = to.to_mss;
+				else
+					if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0)
+						mss = TCP6_MSS;
+					else
+						mss = TCP_MSS;
+				tcp_fastopen_update_cache(tp, mss,
 				    to.to_tfo_len, to.to_tfo_cookie);
-			else
+			} else
 				tcp_fastopen_disable_path(tp);
 		}
 	}
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@ -6657,10 +6657,19 @@ rack_hpts_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so,
 			    (to.to_flags & TOF_SACKPERM) == 0)
 				tp->t_flags &= ~TF_SACK_PERMIT;
 			if (IS_FASTOPEN(tp->t_flags)) {
-				if (to.to_flags & TOF_FASTOPEN)
-					tcp_fastopen_update_cache(tp, to.to_mss,
+				if (to.to_flags & TOF_FASTOPEN) {
+					uint16_t mss;
+
+					if (to.to_flags & TOF_MSS)
+						mss = to.to_mss;
+					else
+						if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0)
+							mss = TCP6_MSS;
+						else
+							mss = TCP_MSS;
+					tcp_fastopen_update_cache(tp, mss,
 					    to.to_tfo_len, to.to_tfo_cookie);
-				else
+				} else
 					tcp_fastopen_disable_path(tp);
 			}
 		}