UBUNTU: SAUCE: tcp: tcp_fragment() should apply sane memory limits

Jonathan Looney reported that a malicious peer can force a sender to fragment its retransmit queue into tiny skbs, inflating memory usage and/or overflow 32bit counters. TCP allows an application to queue up to sk_sndbuf bytes, so we need to give some allowance for non malicious splitting of retransmit queue. A new SNMP counter is added to monitor how many times TCP did not allow to split an skb if the allowance was exceeded. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jonathan Looney <jtl@netflix.com> Cc: Bruce Curtis <brucec@netflix.com> Cc: Neal Cardwell <ncardwell@google.com> CC: Yuchung Cheng <ycheng@google.com> BugLink: https://bugs.launchpad.net/bugs/1831638 (Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard manipulation (LP: #1831638)) [tyhicks: Adjust context of SNMP enums] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

UBUNTU: SAUCE: tcp: tcp_fragment() should apply sane memory limits
Jonathan Looney reported that a malicious peer can force a sender to fragment its retransmit queue into tiny skbs, inflating memory usage and/or overflow 32bit counters. TCP allows an application to queue up to sk_sndbuf bytes, so we need to give some allowance for non malicious splitting of retransmit queue. A new SNMP counter is added to monitor how many times TCP did not allow to split an skb if the allowance was exceeded. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jonathan Looney <jtl@netflix.com> Cc: Bruce Curtis <brucec@netflix.com> Cc: Neal Cardwell <ncardwell@google.com> CC: Yuchung Cheng <ycheng@google.com> BugLink: https://bugs.launchpad.net/bugs/1831638 (Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard manipulation (LP: #1831638)) [tyhicks: Adjust context of SNMP enums] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
9094a474 · Eric Dumazet · Stefan Bader · db455250 · 9094a474 · 9094a474
Commit 9094a474 authored May 31, 2019 by Eric Dumazet Committed by Stefan Bader Jun 05, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

include/uapi/linux/snmp.h include/uapi/linux/snmp.h +1 -0

net/ipv4/proc.c net/ipv4/proc.c +1 -0

net/ipv4/tcp_output.c net/ipv4/tcp_output.c +5 -0

No files found.
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -281,6 +281,7 @@ enum
 	LINUX_MIB_TCPKEEPALIVE,			/* TCPKeepAlive */
 	LINUX_MIB_TCPMTUPFAIL,			/* TCPMTUPFail */
 	LINUX_MIB_TCPMTUPSUCCESS,		/* TCPMTUPSuccess */
+	LINUX_MIB_TCPWQUEUETOOBIG,		/* TCPWqueueTooBig */
 	__LINUX_MIB_MAX
 };

--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -303,6 +303,7 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
 	SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
 	SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
+	SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
 	SNMP_MIB_SENTINEL
 };

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1163,6 +1163,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
 	if (nsize < 0)
 		nsize = 0;
+	if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+		return -ENOMEM;
+	}
 	if (skb_unclone(skb, gfp))
 		return -ENOMEM;