lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 May 2013 11:15:07 +0200 From: Jesper Dangaard Brouer <jbrouer@...hat.com> To: Eric Dumazet <eric.dumazet@...il.com> Cc: Jesper Dangaard Brouer <brouer@...hat.com>, "David S. Miller" <davem@...emloft.net>, Hannes Frederic Sowa <hannes@...essinduktion.org>, netdev@...r.kernel.org Subject: Re: [net-next PATCH 1/4] Revert "inet: limit length of fragment queue hash table bucket lists" On Thu, 02 May 2013 08:16:41 -0700 Eric Dumazet <eric.dumazet@...il.com> wrote: > On Thu, 2013-05-02 at 09:59 +0200, Jesper Dangaard Brouer wrote: > > On Wed, 24 Apr 2013 17:00:30 -0700 Eric Dumazet > > <eric.dumazet@...il.com> wrote: > > > > > On Wed, 2013-04-24 at 17:48 +0200, Jesper Dangaard Brouer wrote: > > > > This reverts commit 5a3da1fe9561828d0ca7eca664b16ec2b9bf0055. > > > > > > > > The problem with commit 5a3da1fe (inet: limit length of fragment > > > > queue hash table bucket lists) is that, once we hit the hash > > > > depth limit (of 128), the we *keep* the existing frag queues, > > > > not allowing new frag queues to be created. Thus, an attacker > > > > can effectivly block handling of fragments for 30 sec (as each > > > > frag queue have a timeout of 30 sec) > > > > > > > > > > I do not think its good to revert this patch. It was a step in > > > right direction. > > > > We need a revert, because we are too close to the merge window, and > > cannot complete the needed "steps" to make this patch safe, sorry. > [...] > > For people willing to allow more memory to be used, the only way is to > resize hash table, or using a bigger INETFRAGS_HASHSZ > > I do not think there is a hurry, current defrag code is already better > than what we had years ago. Eric I think we agree that: 1) we need resizing of hash table based on mem limit 2) mem limit per netns "blocks" the hash resize patch Without these two patches/changes, the static 128 depth limit introduces an undocumented limit on the max mem limit setting (/proc/sys/net/ipv4/ipfrag_high_thresh). I think we only disagree on the order of the patches. But lets keep this, because after we have increased hash size (INETFRAGS_HASHSZ) to 1024, we have pushed the "undocumented limit" so-far that is very unlikely to be hit. We would have to start >36 netns instances, all being overloaded with small incomplete fragments at the same time (30 sec time window). --Jesper -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists