diff options
author | Eric Dumazet <edumazet@google.com> | 2015-11-18 21:03:33 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-11-20 10:57:33 -0500 |
commit | 5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9 (patch) | |
tree | 2d59e7176c7c351ca7113839fa6f8db42762d43e /crypto | |
parent | tcp: fix Fast Open snmp over-counting bug (diff) | |
download | linux-dev-5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9.tar.xz linux-dev-5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9.zip |
tcp: fix potential huge kmalloc() calls in TCP_REPAIR
tcp_send_rcvq() is used for re-injecting data into tcp receive queue.
Problems :
- No check against size is performed, allowed user to fool kernel in
attempting very large memory allocations, eventually triggering
OOM when memory is fragmented.
- In case of fault during the copy we do not return correct errno.
Lets use alloc_skb_with_frags() to cook optimal skbs.
Fixes: 292e8d8c8538 ("tcp: Move rcvq sending to tcp_input.c")
Fixes: c0e88ff0f256 ("tcp: Repair socket queues")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'crypto')
0 files changed, 0 insertions, 0 deletions