| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 26 Jan 2014 11:50:51 +0200 From: Horia Geanta <horia.geanta@...escale.com> To: Steffen Klassert <steffen.klassert@...unet.com>, "David S. Miller" <davem@...emloft.net> CC: <netdev@...r.kernel.org> Subject: [RFC ipsec-next] Temporary SA allocation and OOM Hi, In the cases where: -policies are in place -there are no key managers registered to PF_KEY / NETLINK XFRM events -xfrm_states are not available (no KM to negotiate them) xfrm_state_find will be called for every IPsec packet entering the system. A temporary SA is allocated; however, since there are no KMs, km_query() fails to send an ACQUIRE notification and the temporary SA is immediately garbage collected. This leads to OOM, considering the fact that SA alloc/free is performed for each packet and garbage collection does not keep up the pace when traffic rate is high. I am attaching as RFC a patch that checks whether there are any KMs registered before allocating the temporary SA. A new callback - is_alive - is added to the xfrm_mgr. If is_alive returns true, there are many chances that km_query() won't fail, thus temporary SA won't be freed (at least not until it expires - 30s default). This alleviates the strain caused by very frequent memory allocation. Thanks, Horia Horia Geanta (1): xfrm: avoid creating temporary SA when there are no listeners include/net/xfrm.h | 15 +++++++++++++++ net/key/af_key.c | 20 ++++++++++++++++++++ net/xfrm/xfrm_state.c | 31 +++++++++++++++++++++++++++++++ net/xfrm/xfrm_user.c | 6 ++++++ 4 files changed, 72 insertions(+) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists