[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
URL:
  <https://savannah.nongnu.org/bugs/?56397>

                 Summary: Assert "tcp_receive: ooseq tcplen > rcv_wnd"
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: dgirault
            Submitted on: lun. 27 mai 2019 16:01:08 UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

I'm just got the following LWIP_ASSERT() at tcp_in.c:1582 (current master:
b3a93941).

The related code is the same than in STABLE-2_1_x branch.


#if TCP_QUEUE_OOSEQ
        /* We now check if we have segments on the ->ooseq queue that
           are now in sequence. */
        while (pcb->ooseq != NULL &&
               pcb->ooseq->tcphdr->seqno == pcb->rcv_nxt) {

          struct tcp_seg *cseg = pcb->ooseq;
          seqno = pcb->ooseq->tcphdr->seqno;

          pcb->rcv_nxt += TCP_TCPLEN(cseg);
          LWIP_ASSERT("tcp_receive: ooseq tcplen > rcv_wnd\n",
                      pcb->rcv_wnd >= TCP_TCPLEN(cseg));
          pcb->rcv_wnd -= TCP_TCPLEN(cseg);


I cannot do capture since this bug had appeared once in-field to one of our
customers.






    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message posté via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #1, bug #56397 (project lwip):

May be related to bug #29080, fixed by cf0b8319.

This commit should prevent having TCP_TCPLEN(cseg) > pcb->rcv_wnd isn't it?



    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message posté via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #2, bug #56397 (project lwip):

Hmm, can you reproduce this? If so, could you just add more output? e.g. the
values of rcv_wnd and TCP_TCPLEN(cseg). Maybe it's an off-by-one (due to
SYN/FIN) or some kind of overflow?

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #3, bug #56397 (project lwip):

Sorry, this bug was only in 3 of our customers and I can't reproduce it myself
at work.

I may instrument code before the assert to have usefull values in our saved
traces sent after reboot but need to wait for the crash occurs again with this
new version deployed to impacted customers.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message posté via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #4, bug #56397 (project lwip):

That would be great, as I cannot reproduce this either.

BTW: are you using window scaling here? Maybe it has something do to with
that...

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #5, bug #56397 (project lwip):

Hi Simon,

Just got one of our customer got this bug with our new version with more logs.
But, because of a typo in added log, I don't get the value for the rcv_wnd.
:-/

The only value I got is TCP_TCPLEN(cseg) which is 1460.

Default rcv_wnd is 17520 (12*MSS) at session start. This is during a HTTPS
download (using an ALTCP_TLS socket) where records can be up to 16384 bytes
(+5 +24).

I'll come back here when I'll get rcv_wnd value...

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message posté via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56397] Assert "tcp_receive: ooseq tcplen > rcv_wnd"

David GIRAULT-2
Follow-up Comment #6, bug #56397 (project lwip):

See something strange in out-of-sequence segment handling.

Since TCP_OOSEQ_MAX_BYTES & TCP_OOSEQ_MAX_PBUFS are 0 (unlimited) by default,
it seems we can store unlimited count of OOS segments in ooseq queue. Right?

This can result in more bytes stored in pcb->ooseq that the rcv_wnd can
handle, isn't it?

When the next expected segment is finally received, the following loop should
break if current ooseq segment processed have size > rcv_wnd :


while (pcb->ooseq != NULL &&
       pcb->ooseq->tcphdr->seqno == pcb->rcv_nxt)


Does I miss something?

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56397>

_______________________________________________
  Message posté via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel