43 lines
1.6 KiB
Diff
43 lines
1.6 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Eric Dumazet <edumazet@google.com>
|
||
|
|
Date: Fri, 21 Jun 2019 06:09:55 -0700
|
||
|
|
Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
|
||
|
|
|
||
|
|
tcp_fragment() might be called for skbs in the write queue.
|
||
|
|
|
||
|
|
Memory limits might have been exceeded because tcp_sendmsg() only
|
||
|
|
checks limits at full skb (64KB) boundaries.
|
||
|
|
|
||
|
|
Therefore, we need to make sure tcp_fragment() wont punish applications
|
||
|
|
that might have setup very low SO_SNDBUF values.
|
||
|
|
|
||
|
|
Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
|
||
|
|
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||
|
|
Reported-by: Christoph Paasch <cpaasch@apple.com>
|
||
|
|
Tested-by: Christoph Paasch <cpaasch@apple.com>
|
||
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
|
|
||
|
|
BugLink: https://bugs.launchpad.net/bugs/1831638
|
||
|
|
CVE-2019-11478
|
||
|
|
|
||
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||
|
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||
|
|
---
|
||
|
|
net/ipv4/tcp_output.c | 3 ++-
|
||
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
|
||
|
|
index e471ec48dcbc..de76eb94b4d2 100644
|
||
|
|
--- a/net/ipv4/tcp_output.c
|
||
|
|
+++ b/net/ipv4/tcp_output.c
|
||
|
|
@@ -1321,7 +1321,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
|
||
|
|
if (nsize < 0)
|
||
|
|
nsize = 0;
|
||
|
|
|
||
|
|
- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
|
||
|
|
+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
|
||
|
|
+ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
|
||
|
|
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
|
||
|
|
return -ENOMEM;
|
||
|
|
}
|