| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Feb 2013 10:26:03 +0000 From: Thomas Graf <tgraf@...g.ch> To: davem@...emloft.net Cc: netdev@...r.kernel.org, foraker1@...l.gov Subject: [PATCH net] tcp: Don't collapse if resulting skb could overflow skb->csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. With this patch, the overflow has not been observed for over a week while previously it would occur within ~ 1 day. A big thank you to Jim Foraker <foraker1@...l.gov> and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker <foraker1@...l.gov> Signed-off-by: Thomas Graf <tgraf@...g.ch> --- net/ipv4/tcp_output.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index e2b4461..1902fee 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2305,6 +2305,12 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to, if (after(TCP_SKB_CB(skb)->end_seq, tcp_wnd_end(tp))) break; + /* Never collapse if the resulting headroom + data exceeds + * 64K as that is the maximum csum_start can cover. + */ + if (skb_headroom(to) + to->len + skb->len > 0xFFFF) + break; + tcp_collapse_retrans(sk, to); } } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists