lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221021171642.89090-1-kuniyu@amazon.com> Date: Fri, 21 Oct 2022 10:16:42 -0700 From: Kuniyuki Iwashima <kuniyu@...zon.com> To: <luwei32@...wei.com> CC: <asml.silence@...il.com>, <ast@...nel.org>, <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>, <imagedong@...cent.com>, <kuba@...nel.org>, <kuniyu@...zon.com>, <linux-kernel@...r.kernel.org>, <martin.lau@...nel.org>, <ncardwell@...gle.com>, <netdev@...r.kernel.org>, <pabeni@...hat.com>, <yoshfuji@...ux-ipv6.org> Subject: Re: [PATCH net,v3] tcp: fix a signed-integer-overflow bug in tcp_add_backlog() From: Lu Wei <luwei32@...wei.com> Date: Fri, 21 Oct 2022 12:06:22 +0800 > The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and > in tcp_add_backlog(), the variable limit is caculated by adding > sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value > of int and overflow. This patch reduces the limit budget by > halving the sndbuf to solve this issue since ACK packets are much > smaller than the payload. > > Fixes: c9c3321257e1 ("tcp: add tcp_add_backlog()") > Signed-off-by: Lu Wei <luwei32@...wei.com> Acked-by: Kuniyuki Iwashima <kuniyu@...zon.com> > --- > net/ipv4/tcp_ipv4.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 7a250ef9d1b7..87d440f47a70 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -1874,11 +1874,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb, > __skb_push(skb, hdrlen); > > no_coalesce: > + limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1); > + > /* Only socket owner can try to collapse/prune rx queues > * to reduce memory overhead, so add a little headroom here. > * Few sockets backlog are possibly concurrently non empty. > */ > - limit = READ_ONCE(sk->sk_rcvbuf) + READ_ONCE(sk->sk_sndbuf) + 64*1024; > + limit += 64 * 1024; > > if (unlikely(sk_add_backlog(sk, skb, limit))) { > bh_unlock_sock(sk); > -- > 2.31.1
Powered by blists - more mailing lists