Ignore RST received for a TCP listener

The current implementation has a bug where TCP listener does not ignore RSTs from the peer. While handling RST+ACK from the peer, this bug can complete handshakes that use syncookies. This results in half-open connection delivered to the accept queue. Fixes #6076 PiperOrigin-RevId: 376868749
author: Mithun Iyer <iyerm@google.com> 2021-06-01 10:44:30 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-06-01 10:46:40 -0700
commit: 77dc0f5bc94dff28fa23812f3ad60a8b01e91138 (patch)
tree: b9a6ce6c6cee2ddc51c739be767282a463412930 /pkg/tcpip/transport
parent: 4f374699818fec39dccdfcb07752fd0f728fe53d (diff)
2 files changed, 54 insertions, 1 deletions
diff --git a/pkg/tcpip/transport/tcp/accept.go b/pkg/tcpip/transport/tcp/accept.go
index 2c65b737d..2b5abd3ee 100644
--- a/pkg/tcpip/transport/tcp/accept.go
+++ b/pkg/tcpip/transport/tcp/accept.go
@@ -560,6 +560,10 @@ func (e *endpoint) handleListenSegment(ctx *listenContext, s *segment) tcpip.Err
 	}
 
 	switch {
+	case s.flags.Contains(header.TCPFlagRst):
+		e.stack.Stats().DroppedPackets.Increment()
+		return nil
+
 	case s.flags == header.TCPFlagSyn:
 		if e.acceptQueueIsFull() {
 			e.stack.Stats().TCP.ListenOverflowSynDrop.Increment()
@@ -611,7 +615,7 @@ func (e *endpoint) handleListenSegment(ctx *listenContext, s *segment) tcpip.Err
 		e.stack.Stats().TCP.ListenOverflowSynCookieSent.Increment()
 		return nil
 
-	case (s.flags & header.TCPFlagAck) != 0:
+	case s.flags.Contains(header.TCPFlagAck):
 		if e.acceptQueueIsFull() {
 			// Silently drop the ack as the application can't accept
 			// the connection at this point. The ack will be
@@ -753,6 +757,7 @@ func (e *endpoint) handleListenSegment(ctx *listenContext, s *segment) tcpip.Err
 		return nil
 
 	default:
+		e.stack.Stats().DroppedPackets.Increment()
 		return nil
 	}
 }
diff --git a/pkg/tcpip/transport/tcp/tcp_test.go b/pkg/tcpip/transport/tcp/tcp_test.go
index e7ede7662..9bbe9bc3e 100644
--- a/pkg/tcpip/transport/tcp/tcp_test.go
+++ b/pkg/tcpip/transport/tcp/tcp_test.go
@@ -6238,6 +6238,54 @@ func TestPassiveFailedConnectionAttemptIncrement(t *testing.T) {
 	}
 }
 
+func TestListenDropIncrement(t *testing.T) {
+	c := context.New(t, defaultMTU)
+	defer c.Cleanup()
+
+	stats := c.Stack().Stats()
+	c.Create(-1 /*epRcvBuf*/)
+
+	if err := c.EP.Bind(tcpip.FullAddress{Addr: context.StackAddr, Port: context.StackPort}); err != nil {
+		t.Fatalf("Bind failed: %s", err)
+	}
+	if err := c.EP.Listen(1 /*backlog*/); err != nil {
+		t.Fatalf("Listen failed: %s", err)
+	}
+
+	initialDropped := stats.DroppedPackets.Value()
+
+	// Send RST, FIN segments, that are expected to be dropped by the listener.
+	c.SendPacket(nil, &context.Headers{
+		SrcPort: context.TestPort,
+		DstPort: context.StackPort,
+		Flags:   header.TCPFlagRst,
+	})
+	c.SendPacket(nil, &context.Headers{
+		SrcPort: context.TestPort,
+		DstPort: context.StackPort,
+		Flags:   header.TCPFlagFin,
+	})
+
+	// To ensure that the RST, FIN sent earlier are indeed received and ignored
+	// by the listener, send a SYN and wait for the SYN to be ACKd.
+	irs := seqnum.Value(context.TestInitialSequenceNumber)
+	c.SendPacket(nil, &context.Headers{
+		SrcPort: context.TestPort,
+		DstPort: context.StackPort,
+		Flags:   header.TCPFlagSyn,
+		SeqNum:  irs,
+	})
+	checker.IPv4(t, c.GetPacket(), checker.TCP(checker.SrcPort(context.StackPort),
+		checker.DstPort(context.TestPort),
+		checker.TCPFlags(header.TCPFlagAck|header.TCPFlagSyn),
+		checker.TCPAckNum(uint32(irs)+1),
+	))
+
+	if got, want := stats.DroppedPackets.Value(), initialDropped+2; got != want {
+		t.Fatalf("got stats.DroppedPackets.Value() = %d, want = %d", got, want)
+	}
+}
+
 func TestEndpointBindListenAcceptState(t *testing.T) {
 	c := context.New(t, defaultMTU)
 	defer c.Cleanup()
author	Mithun Iyer <iyerm@google.com>	2021-06-01 10:44:30 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-06-01 10:46:40 -0700
commit	77dc0f5bc94dff28fa23812f3ad60a8b01e91138 (patch)
tree	b9a6ce6c6cee2ddc51c739be767282a463412930 /pkg/tcpip/transport
parent	4f374699818fec39dccdfcb07752fd0f728fe53d (diff)