| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Sep 2020 18:05:08 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: pabeni@...hat.com
Cc: netdev@...r.kernel.org, mptcp@...ts.01.org, cpaasch@...le.com
Subject: Re: [PATCH net-next] mptcp: fix integer overflow in
mptcp_subflow_discard_data()
From: Paolo Abeni <pabeni@...hat.com>
Date: Thu, 17 Sep 2020 23:07:24 +0200
> Christoph reported an infinite loop in the subflow receive path
> under stress condition.
>
> If there are multiple subflows, each of them using a large send
> buffer, the delta between the sequence number used by
> MPTCP-level retransmission can and the current msk->ack_seq
> can be greater than MAX_INT.
>
> In the above scenario, when calling mptcp_subflow_discard_data(),
> such delta will be truncated to int, and could result in a negative
> number: no bytes will be dropped, and subflow_check_data_avail()
> will try again to process the same packet, looping forever.
>
> This change addresses the issue by expanding the 'limit' size to 64
> bits, so that overflows are not possible anymore.
>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/87
> Fixes: 6719331c2f73 ("mptcp: trigger msk processing even for OoO data")
> Reported-and-tested-by: Christoph Paasch <cpaasch@...le.com>
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> ---
> net-next patch, as the culprit commit is only on net-next currently
Applied, thank you.
Powered by blists - more mailing lists