tcp: refine memory limit test in tcp_fragment()
tcp_fragment() might be called for skbs in the write queue. Memory limits might have been exceeded because tcp_sendmsg() only checks limits at full skb (64KB) boundaries. Therefore, we need to make sure tcp_fragment() wont punish applications that might have setup very low SO_SNDBUF values. Fixes: f070ef2a ("tcp: tcp_fragment() should apply sane memory limits") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Christoph Paasch <cpaasch@apple.com> Tested-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: David S. Miller <davem@davemloft.net> CVE-2019-11478 (backported from commit b6653b36) [tyhicks: Don't enforce the limit on the skb that tcp_send_head points as that skb has never been sent out. In newer kernels containing commit 75c119af ("tcp: implement rb-tree based retransmit queue"), where there the retransmission queue is separate from the write queue, this skb would be in the write queue. With the modified check in this backported patch, we run the risk of enforcing the memory limit on an skb that is after tcp_send_head in the queue yet has never been sent out. However, an inspection of all tcp_fragment() call sites finds that this shouldn't occur and the limit will only be enforced on skbs that are up for retransmission.] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
Showing
Please register or sign in to comment