[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 03 Mar 2010 15:33:01 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: "Zhu, Yi" <yi.zhu@...el.com>
Cc: andrew hendry <andrew.hendry@...il.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH 8/8] x25: use limited socket backlog
Le mercredi 03 mars 2010 à 22:00 +0800, Zhu, Yi a écrit :
> andrew hendry <andrew.hendry@...il.com> wrote:
>
> > Will wait for the next spin and in the meantime think if there is way
> > to test it. x25 with no loopback and being so slow probably cant generate the same
> > as your UDP case.
>
> I didn't find a way to drop the packet correctly. So I didn't change any behavior in
> this patch. Nor did I do in the second spin. It will be fine if you also think x25 doesn't
> need to limit its backlog size.
So are we sure we cant flood X25 backlog, using X25 over IP ?
You discovered a _fatal_ flaw in backlog processing, we should close all
holes, not only UDP case. You can be sure many bad guys will inspect all
possibilities to bring down Linux hosts.
If you feel uncomfortable with a small limit, just stick a big one, like
256 packets, and you are 100% sure you wont break a protocol. If this
limit happens to be too small, we can change it later.
(No need to count bytes, since truesize includes kernel overhead, and
this overhead depends on 32/64 wide of host and kernel versions)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists