| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20150514.223321.1648157993009055494.davem@davemloft.net> Date: Thu, 14 May 2015 22:33:21 -0400 (EDT) From: David Miller <davem@...emloft.net> To: eric.dumazet@...il.com Cc: netdev@...r.kernel.org, fw@...len.de, ncardwell@...gle.com, ycheng@...gle.com Subject: Re: [PATCH net-next] tcp: syncookies: extend validity range From: Eric Dumazet <eric.dumazet@...il.com> Date: Thu, 14 May 2015 14:26:56 -0700 > From: Eric Dumazet <edumazet@...gle.com> > > Now we allow storing more request socks per listener, we might > hit syncookie mode less often and hit following bug in our stack : > > When we send a burst of syncookies, then exit this mode, > tcp_synq_no_recent_overflow() can return false if the ACK packets coming > from clients are coming three seconds after the end of syncookie > episode. > > This is a way too strong requirement and conflicts with rest of > syncookie code which allows ACK to be aged up to 2 minutes. > > Perfectly valid ACK packets are dropped just because clients might be > in a crowded wifi environment or on another planet. > > So let's fix this, and also change tcp_synq_overflow() to not > dirty a cache line for every syncookie we send, as we are under attack. > > Signed-off-by: Eric Dumazet <edumazet@...gle.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists