lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Sep 2020 18:05:08 -0700 (PDT) From: David Miller <davem@...emloft.net> To: pabeni@...hat.com Cc: netdev@...r.kernel.org, mptcp@...ts.01.org, cpaasch@...le.com Subject: Re: [PATCH net-next] mptcp: fix integer overflow in mptcp_subflow_discard_data() From: Paolo Abeni <pabeni@...hat.com> Date: Thu, 17 Sep 2020 23:07:24 +0200 > Christoph reported an infinite loop in the subflow receive path > under stress condition. > > If there are multiple subflows, each of them using a large send > buffer, the delta between the sequence number used by > MPTCP-level retransmission can and the current msk->ack_seq > can be greater than MAX_INT. > > In the above scenario, when calling mptcp_subflow_discard_data(), > such delta will be truncated to int, and could result in a negative > number: no bytes will be dropped, and subflow_check_data_avail() > will try again to process the same packet, looping forever. > > This change addresses the issue by expanding the 'limit' size to 64 > bits, so that overflows are not possible anymore. > > Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/87 > Fixes: 6719331c2f73 ("mptcp: trigger msk processing even for OoO data") > Reported-and-tested-by: Christoph Paasch <cpaasch@...le.com> > Signed-off-by: Paolo Abeni <pabeni@...hat.com> > --- > net-next patch, as the culprit commit is only on net-next currently Applied, thank you.
Powered by blists - more mailing lists