On 23/05/14 14:47, Eric Dumazet wrote: > On Fri, 2014-05-23 at 12:13 +0100, Jim Baxter wrote: > >> What are the side effects of changing the truesize, if the original >> uncloned skb has the full truesize then isn't the potential memory usage >> still counted for the avoidance of OOM? > > Nope. This can be disastrous. > > A malicious remote peer can crash your host by sending specially cooked > TCP messages. > > Send messages with one byte of payload, and out of order so that they > cant be consumed by receiver, and cant be coalesced/collapsed. > > If you claim the true size is sizeof(sk_buff) + 512, TCP stack will > accumulate these messages in out of order queue, and will not bother > with them, unless you hit sk_rcvbuf limit. > > But in reality these messages uses sizeof(sk_buff) + 32768 bytes. > > Divide your physical memory by 32768 : How many such messages will fit > in memory before the host crashes ? > > I've seen that kind of attacks in real cases. > > Even the fast clones sk_buff mismatch can be noticed. Luckily a 10% > error has no severe impact. > > TCP stack uses fast clones, and current stack gives them a truesize of > 2048 + sizeof(sk_buff), while it really should be 2048 + > 2*sizeof(sk_buff) > > Luckily, GSO/TSO tends to reduce the error, as skbs overhead is lower. > > Thank you for clarifying, that is useful to know. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
