lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 17 Sep 2020 18:05:08 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     pabeni@...hat.com
Cc:     netdev@...r.kernel.org, mptcp@...ts.01.org, cpaasch@...le.com
Subject: Re: [PATCH net-next] mptcp: fix integer overflow in
 mptcp_subflow_discard_data()

From: Paolo Abeni <pabeni@...hat.com>
Date: Thu, 17 Sep 2020 23:07:24 +0200

> Christoph reported an infinite loop in the subflow receive path
> under stress condition.
> 
> If there are multiple subflows, each of them using a large send
> buffer, the delta between the sequence number used by
> MPTCP-level retransmission can and the current msk->ack_seq
> can be greater than MAX_INT.
> 
> In the above scenario, when calling mptcp_subflow_discard_data(),
> such delta will be truncated to int, and could result in a negative
> number: no bytes will be dropped, and subflow_check_data_avail()
> will try again to process the same packet, looping forever.
> 
> This change addresses the issue by expanding the 'limit' size to 64
> bits, so that overflows are not possible anymore.
> 
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/87
> Fixes: 6719331c2f73 ("mptcp: trigger msk processing even for OoO data")
> Reported-and-tested-by: Christoph Paasch <cpaasch@...le.com>
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> ---
> net-next patch, as the culprit commit is only on net-next currently

Applied, thank you.

Powered by blists - more mailing lists