lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170515210547.125052-1-soheil.kdev@gmail.com> Date: Mon, 15 May 2017 17:05:47 -0400 From: Soheil Hassas Yeganeh <soheil.kdev@...il.com> To: davem@...emloft.net, netdev@...r.kernel.org Cc: ilpo.jarvinen@...sinki.fi, Soheil Hassas Yeganeh <soheil@...gle.com>, Neal Cardwell <ncardwell@...gle.com>, Yuchung Cheng <ycheng@...gle.com>, Eric Dumazet <edumazet@...gle.com> Subject: [PATCH net] tcp: eliminate negative reordering in tcp_clean_rtx_queue From: Soheil Hassas Yeganeh <soheil@...gle.com> tcp_ack() can call tcp_fragment() which may dededuct the value tp->fackets_out when MSS changes. When prior_fackets is larger than tp->fackets_out, tcp_clean_rtx_queue() can invoke tcp_update_reordering() with negative values. This results in absurd tp->reodering values higher than sysctl_tcp_max_reordering. Note that tcp_update_reordering indeeds sets tp->reordering to min(sysctl_tcp_max_reordering, metric), but because the comparison is signed, a negative metric always wins. Fixes: c7caf8d3ed7a ("[TCP]: Fix reord detection due to snd_una covered holes") Reported-by: Rebecca Isaacs <risaacs@...gle.com> Signed-off-by: Soheil Hassas Yeganeh <soheil@...gle.com> Signed-off-by: Neal Cardwell <ncardwell@...gle.com> Signed-off-by: Yuchung Cheng <ycheng@...gle.com> Signed-off-by: Eric Dumazet <edumazet@...gle.com> --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 9739962bfb3f..f27dff64e59e 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3190,7 +3190,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets, int delta; /* Non-retransmitted hole got filled? That's reordering */ - if (reord < prior_fackets) + if (reord < prior_fackets && reord <= tp->fackets_out) tcp_update_reordering(sk, tp->fackets_out - reord, 0); delta = tcp_is_fack(tp) ? pkts_acked : -- 2.13.0.rc2.291.g57267f2277-goog
Powered by blists - more mailing lists