• Eric Dumazet's avatar
    tcp: limit payload size of sacked skbs · 3b4929f6
    Eric Dumazet authored
    Jonathan Looney reported that TCP can trigger the following crash
    in tcp_shifted_skb() :
    
    	BUG_ON(tcp_skb_pcount(skb) < pcount);
    
    This can happen if the remote peer has advertized the smallest
    MSS that linux TCP accepts : 48
    
    An skb can hold 17 fragments, and each fragment can hold 32KB
    on x86, or 64KB on PowerPC.
    
    This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
    can overflow.
    
    Note that tcp_sendmsg() builds skbs with less than 64KB
    of payload, so this problem needs SACK to be enabled.
    SACK blocks allow TCP to coalesce multiple skbs in the retransmit
    queue, thus filling the 17 fragments to maximal capacity.
    
    CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs
    
    Fixes: 832d11c5 ("tcp: Try to restore large SKBs while SACK processing")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarJonathan Looney <jtl@netflix.com>
    Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
    Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Bruce Curtis <brucec@netflix.com>
    Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    3b4929f6
tcp.c 102 KB