| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1447935955.22599.195.camel@edumazet-glaptop2.roam.corp.google.com> Date: Thu, 19 Nov 2015 04:25:55 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: Pavel Emelyanov <xemul@...allels.com> Cc: David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org> Subject: Re: [PATCH net] tcp: fix potential huge kmalloc() calls in TCP_REPAIR On Thu, 2015-11-19 at 13:51 +0300, Pavel Emelyanov wrote: > On 11/19/2015 08:03 AM, Eric Dumazet wrote: > > From: Eric Dumazet <edumazet@...gle.com> > > > > tcp_send_rcvq() is used for re-injecting data into tcp receive queue. > > > > Problems : > > > > - No check against size is performed, allowed user to fool kernel in > > attempting very large memory allocations, eventually triggering > > OOM when memory is fragmented. > > Doesn't the tcp_try_rmem_schedule() protect us from doing this "eventually"? > I mean first we would be allowed to do it, but then the sock will be charged > with the previous allocations and will not add more memory to socket. But this tcp_try_rmem_schedule() is done _after_ allocation was attempted. This is too late :( -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists