[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <537F62A4.1020707@mentor.com>
Date: Fri, 23 May 2014 16:00:52 +0100
From: Jim Baxter <jim_baxter@...tor.com>
To: Eric Dumazet <eric.dumazet@...il.com>
CC: David Laight <David.Laight@...LAB.COM>,
'Bjørn Mork' <bjorn@...k.no>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
"kamal@...onical.com" <kamal@...onical.com>,
"edumazet@...gle.com" <edumazet@...gle.com>,
"mszeredi@...e.cz" <mszeredi@...e.cz>,
"fw@...len.de" <fw@...len.de>
Subject: Re: skbuff truesize incorrect.
On 23/05/14 14:47, Eric Dumazet wrote:
> On Fri, 2014-05-23 at 12:13 +0100, Jim Baxter wrote:
>
>> What are the side effects of changing the truesize, if the original
>> uncloned skb has the full truesize then isn't the potential memory usage
>> still counted for the avoidance of OOM?
>
> Nope. This can be disastrous.
>
> A malicious remote peer can crash your host by sending specially cooked
> TCP messages.
>
> Send messages with one byte of payload, and out of order so that they
> cant be consumed by receiver, and cant be coalesced/collapsed.
>
> If you claim the true size is sizeof(sk_buff) + 512, TCP stack will
> accumulate these messages in out of order queue, and will not bother
> with them, unless you hit sk_rcvbuf limit.
>
> But in reality these messages uses sizeof(sk_buff) + 32768 bytes.
>
> Divide your physical memory by 32768 : How many such messages will fit
> in memory before the host crashes ?
>
> I've seen that kind of attacks in real cases.
>
> Even the fast clones sk_buff mismatch can be noticed. Luckily a 10%
> error has no severe impact.
>
> TCP stack uses fast clones, and current stack gives them a truesize of
> 2048 + sizeof(sk_buff), while it really should be 2048 +
> 2*sizeof(sk_buff)
>
> Luckily, GSO/TSO tends to reduce the error, as skbs overhead is lower.
>
>
Thank you for clarifying, that is useful to know.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists