From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Neal Cardwell <ncardwell@google.com>,
Soheil Hassas Yeganeh <soheil@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 12/37] tcp: md5: fix potential overestimation of TCP option space
Date: Tue, 17 Dec 2019 21:09:33 +0100 [thread overview]
Message-ID: <20191217200726.084603820@linuxfoundation.org> (raw)
In-Reply-To: <20191217200721.741054904@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 ]
Back in 2008, Adam Langley fixed the corner case of packets for flows
having all of the following options : MD5 TS SACK
Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block
can be cooked from the remaining 8 bytes.
tcp_established_options() correctly sets opts->num_sack_blocks
to zero, but returns 36 instead of 32.
This means TCP cooks packets with 4 extra bytes at the end
of options, containing unitialized bytes.
Fixes: 33ad798c924b ("tcp: options clean up")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -755,8 +755,9 @@ static unsigned int tcp_established_opti
min_t(unsigned int, eff_sacks,
(remaining - TCPOLEN_SACK_BASE_ALIGNED) /
TCPOLEN_SACK_PERBLOCK);
- size += TCPOLEN_SACK_BASE_ALIGNED +
- opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
+ if (likely(opts->num_sack_blocks))
+ size += TCPOLEN_SACK_BASE_ALIGNED +
+ opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
}
return size;
next prev parent reply other threads:[~2019-12-17 20:12 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-17 20:09 [PATCH 5.4 00/37] 5.4.5-stable review Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 01/37] inet: protect against too small mtu values Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 02/37] mqprio: Fix out-of-bounds access in mqprio_dump Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 03/37] net: bridge: deny dev_set_mac_address() when unregistering Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 04/37] net: dsa: fix flow dissection on Tx path Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 05/37] net: ethernet: ti: cpsw: fix extra rx interrupt Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 06/37] net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 07/37] net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 08/37] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 09/37] net: thunderx: start phy before starting autonegotiation Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 10/37] net/tls: Fix return values to avoid ENOTSUPP Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 11/37] openvswitch: support asymmetric conntrack Greg Kroah-Hartman
2019-12-17 20:09 ` Greg Kroah-Hartman [this message]
2019-12-17 20:09 ` [PATCH 5.4 13/37] tipc: fix ordering of tipc module init and exit routine Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 14/37] net/mlx5e: Query global pause state before setting prio2buffer Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 15/37] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 16/37] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 17/37] tcp: fix rejected syncookies due to stale timestamps Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 18/37] tcp: tighten acceptance of ACKs not matching a child socket Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 19/37] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 20/37] net: core: rename indirect block ingress cb function Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 21/37] net: sched: allow indirect blocks to bind to clsact in TC Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 22/37] cls_flower: Fix the behavior using port ranges with hw-offload Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 23/37] gre: refetch erspan header from skb->data after pskb_may_pull() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 24/37] Fixed updating of ethertype in function skb_mpls_pop Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 25/37] hsr: fix a NULL pointer dereference in hsr_dev_xmit() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 26/37] net: Fixed updating of ethertype in skb_mpls_push() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 27/37] net/mlx5e: Fix TXQ indices to be sequential Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 28/37] act_ct: support asymmetric conntrack Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 29/37] net/mlx5e: Fix SFF 8472 eeprom length Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 30/37] net/mlx5e: Fix freeing flow with kfree() and not kvfree() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 31/37] net/mlx5e: Fix translation of link mode into speed Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 32/37] net/mlx5e: ethtool, Fix analysis of speed setting Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 33/37] page_pool: do not release pool until inflight == 0 Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 34/37] xdp: obtain the mem_id mutex before trying to remove an entry Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 35/37] ionic: keep users rss hash across lif reset Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 36/37] net: mscc: ocelot: unregister the PTP clock on deinit Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 37/37] r8169: add missing RX enabling for WoL on RTL8125 Greg Kroah-Hartman
2019-12-18 10:24 ` [PATCH 5.4 00/37] 5.4.5-stable review Jon Hunter
2019-12-18 14:34 ` Greg Kroah-Hartman
2019-12-18 14:22 ` Naresh Kamboju
2019-12-18 14:35 ` Greg Kroah-Hartman
2019-12-18 14:48 ` Guenter Roeck
2019-12-18 14:53 ` Greg Kroah-Hartman
2019-12-18 20:59 ` shuah
2019-12-19 8:44 ` Greg Kroah-Hartman
2019-12-18 21:02 ` Geert Uytterhoeven
2019-12-19 8:45 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191217200726.084603820@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=soheil@google.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).