diff mbox

[net] tcp: fix potential memory corruption

Message ID 1478098397.7065.370.camel@edumazet-glaptop3.roam.corp.google.com
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Eric Dumazet Nov. 2, 2016, 2:53 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

Imagine initial value of max_skb_frags is 17, and last
skb in write queue has 15 frags.

Then max_skb_frags is lowered to 14 or smaller value.

tcp_sendmsg() will then be allowed to add additional page frags
and eventually go past MAX_SKB_FRAGS, overflowing struct
skb_shared_info.

Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hans Westgaard Ry <hans.westgaard.ry@oracle.com>
Cc: HÃ¥kon Bugge <haakon.bugge@oracle.com>
---
 net/ipv4/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

David Miller Nov. 3, 2016, 7:34 p.m. UTC | #1 
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 02 Nov 2016 07:53:17 -0700

> From: Eric Dumazet <edumazet@google.com>
> 
> Imagine initial value of max_skb_frags is 17, and last
> skb in write queue has 15 frags.
> 
> Then max_skb_frags is lowered to 14 or smaller value.
> 
> tcp_sendmsg() will then be allowed to add additional page frags
> and eventually go past MAX_SKB_FRAGS, overflowing struct
> skb_shared_info.
> 
> Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags")
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Applied and queued up for -stable, thanks.
diff mbox

Patch

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3251fe71f39f..18238ef8135a 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1241,7 +1241,7 @@  int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
 
 			if (!skb_can_coalesce(skb, i, pfrag->page,
 					      pfrag->offset)) {
-				if (i == sysctl_max_skb_frags || !sg) {
+				if (i >= sysctl_max_skb_frags || !sg) {
 					tcp_mark_push(tp, skb);
 					goto new_segment;
 				}