KarpelesLab / slirp / 23948093786
71%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 27
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 73.898% (-1.3%) from 75.207%
23948093786

push

github

MagicalTux 
Implement RFC 9293 compliance: 7 fixes for TCP correctness

All 7 FAIL items from the RFC 9293 audit are now properly implemented
following best practices per the RFC.

Fix 1: Sequence number validation (§3.10.7.4 first check)
  - New segmentAcceptable() method implements RFC 9293 Table 5 exactly
  - Called before any processing in synchronized states
  - Out-of-window segments rejected with ACK (not silently dropped)
  - RecvBuf enforces window size: data beyond nxt+windowSize trimmed

Fix 2: RST validation (§3.10.7.4 second check + RFC 5961)
  - Moved from global pre-dispatch to per-state validation
  - SYN-SENT: RST accepted only if ACK present and SEG.ACK == SND.NXT
  - Synchronized states: RST accepted only if SEG.SEQ == RCV.NXT exactly
  - In-window but non-exact RST: challenge ACK per RFC 5961 §3.2
  - Invalid RSTs silently dropped (blind RST attack mitigation)

Fix 3: SYN in wrong state (§3.10.7.4 fourth check + RFC 5961 §4)
  - SYN in ESTABLISHED or later: send challenge ACK (not RST)
  - Per RFC 5961 §4: mitigates blind SYN injection attacks
  - Connection NOT reset — only a challenge ACK is sent

Fix 4: ACK required (§3.10.7.4 fifth check)
  - Segments without ACK flag in synchronized states are dropped
  - Checked after RST and SYN checks, before data processing
  - RST segments exempt (already handled by step 2)

Fix 5: Simultaneous open (§3.10.1)
  - handleSynSent now handles bare SYN (no ACK): RFC 9293 §3.10.7.2
  - Transitions to SYN-RECEIVED, sends SYN-ACK
  - Buffers any data in the SYN
  - Special handling in handleSynchronized for SYN-RECEIVED state
    when peer's SYN-ACK retransmits the SYN (SEQ == RCV.NXT-1)

Fix 6: Persist timer + zero-window probing (§3.7.7)
  - New persistTimer with exponential backoff (RTO → 60s cap)
  - Started in flushSendQueue when sndWnd=0 and data pending
  - Sends 1-byte window probe on each timeout
  - Stopped in processACK when window opens (sndWnd > 0)
  - Properly cleaned up in Close/Abort/RST path... (continued)

192 of 323 new or added lines in 3 files covered. (59.44%)

2 existing lines in 1 file now uncovered.

2950 of 3992 relevant lines covered (73.9%)

17235.44 hits per line

Uncovered Changes

Lines Coverage File
117
58.28
 -0.81% vtcp/conn.go
12
81.2
 -6.76% vtcp/recvbuf.go
2
91.53
 -0.78% vtcp/nettest/link.go

Coverage Regressions

Lines Coverage File
2
84.0
 -8.0% tcp_nat.go
Jobs
ID Job ID Ran Files Coverage
1 23948093786.1 27
73.9
 GitHub Action Run
Source Files on build 23948093786