This is a note to let you know that I've just added the patch titled
tcp: md5: fix potential overestimation of TCP option space
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Wed 18 Dec 2019 01:33:13 PM CET
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Thu, 5 Dec 2019 10:10:15 -0800
Subject: tcp: md5: fix potential overestimation of TCP option space
From: Eric Dumazet <edumazet@xxxxxxxxxx>
[ Upstream commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 ]
Back in 2008, Adam Langley fixed the corner case of packets for flows
having all of the following options : MD5 TS SACK
Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block
can be cooked from the remaining 8 bytes.
tcp_established_options() correctly sets opts->num_sack_blocks
to zero, but returns 36 instead of 32.
This means TCP cooks packets with 4 extra bytes at the end
of options, containing unitialized bytes.
Fixes: 33ad798c924b ("tcp: options clean up")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
Acked-by: Neal Cardwell <ncardwell@xxxxxxxxxx>
Acked-by: Soheil Hassas Yeganeh <soheil@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv4/tcp_output.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -710,8 +710,9 @@ static unsigned int tcp_established_opti
min_t(unsigned int, eff_sacks,
(remaining - TCPOLEN_SACK_BASE_ALIGNED) /
TCPOLEN_SACK_PERBLOCK);
- size += TCPOLEN_SACK_BASE_ALIGNED +
- opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
+ if (likely(opts->num_sack_blocks))
+ size += TCPOLEN_SACK_BASE_ALIGNED +
+ opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
}
return size;
Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are
queue-4.4/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch
queue-4.4/tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch
queue-4.4/tcp-fix-rejected-syncookies-due-to-stale-timestamps.patch
queue-4.4/tcp-fix-off-by-one-bug-on-aborting-window-probing-so.patch
queue-4.4/tcp-tighten-acceptance-of-acks-not-matching-a-child-socket.patch
queue-4.4/inet-protect-against-too-small-mtu-values.patch
