tcp: fix potential huge kmalloc() calls in TCP_REPAIR - linux-dev - Linux kernel development work

diff options

author	Eric Dumazet <edumazet@google.com>	2015-11-18 21:03:33 -0800
committer	David S. Miller <davem@davemloft.net>	2015-11-20 10:57:33 -0500
commit	5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9 (patch)
tree	2d59e7176c7c351ca7113839fa6f8db42762d43e /crypto
parent	tcp: fix Fast Open snmp over-counting bug (diff)
download	linux-dev-5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9.tar.xz linux-dev-5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9.zip

tcp: fix potential huge kmalloc() calls in TCP_REPAIR

tcp_send_rcvq() is used for re-injecting data into tcp receive queue. Problems : - No check against size is performed, allowed user to fool kernel in attempting very large memory allocations, eventually triggering OOM when memory is fragmented. - In case of fault during the copy we do not return correct errno. Lets use alloc_skb_with_frags() to cook optimal skbs. Fixes: 292e8d8c8538 ("tcp: Move rcvq sending to tcp_input.c") Fixes: c0e88ff0f256 ("tcp: Repair socket queues") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Pavel Emelyanov <xemul@parallels.com> Acked-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'crypto')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: