git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Eric Dumazet <edumazet@google.com>
	Sat, 18 May 2019 00:17:22 +0000 (17:17 -0700)
committer	David S. Miller <davem@davemloft.net>
	Sun, 16 Jun 2019 01:47:31 +0000 (18:47 -0700)
commit	3b4929f65b0d8249f19a50245cd88ed1a2f78cff
tree	6f48603df7001f7048016a2e98573bf10044dd3e	tree \| snapshot
parent	1eb4169c1e6b3c95f3a99c2c7f91b10e6c98e848	commit \| diff

tcp: limit payload size of sacked skbs

Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :

BUG_ON(tcp_skb_pcount(skb) < pcount);

This can happen if the remote peer has advertized the smallest
MSS that linux TCP accepts : 48

An skb can hold 17 fragments, and each fragment can hold 32KB
on x86, or 64KB on PowerPC.

This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
can overflow.

Note that tcp_sendmsg() builds skbs with less than 64KB
of payload, so this problem needs SACK to be enabled.
SACK blocks allow TCP to coalesce multiple skbs in the retransmit
queue, thus filling the 17 fragments to maximal capacity.

CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs

Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/tcp.h		diff \| blob \| blame \| history
include/net/tcp.h		diff \| blob \| blame \| history
net/ipv4/tcp.c		diff \| blob \| blame \| history
net/ipv4/tcp_input.c		diff \| blob \| blame \| history
net/ipv4/tcp_output.c		diff \| blob \| blame \| history