From patchwork Mon Jul 23 16:28:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <edumazet@google.com>
X-Patchwork-Id: 947862
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none)
	header.from=google.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="Mylx8Uo9"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41Z6PC0MtQz9s0n
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 24 Jul 2018 02:28:31 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2388723AbeGWRa3 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 23 Jul 2018 13:30:29 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:33731 "EHLO
	mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2388112AbeGWRa3 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 23 Jul 2018 13:30:29 -0400
Received: by mail-pg1-f194.google.com with SMTP id r5-v6so757073pgv.0
	for <netdev@vger.kernel.org>; Mon, 23 Jul 2018 09:28:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=YNvoU8pmLEVwreI3SyyAE4SYHfYf6aVWcZX2dPQTyQg=;
	b=Mylx8Uo9DkKqxdHMzk5mtAXQ59X6LtKeMX7jUrJ9HZj4kZOh5KA5uVbtoiTGGaAJX5
	W0tw20jPzAtKyyxgdOVnX22f4MNpnHGfhCDE0ML8V+yefMaNbUnbVgovrBAwSrTf0dAu
	hecMx63AyOAjuNRFFhWCIqUNf6EPBtz4pEmz0hPdpKQCoO1fjeuOLzAH9l5eJSbmwZ1a
	dmQDKw3N2Mkc3SEYHi544fiW6F5VULyWKsi91Afbf1VXCqehwLo0957vA5LDLzPqn2la
	TQcb8CMo9D7NlGOGrpMVNgZ65toY6HHRZWLcUYyEz84vR5RmXbLPvSo+EzBtIGoFe4ij
	LWjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=YNvoU8pmLEVwreI3SyyAE4SYHfYf6aVWcZX2dPQTyQg=;
	b=DLvjn3IkcTHxvzAuHht0Da95Qo+a8rhVaiYwva4dKG1BMfccVmN8l1kHbHFkupxDBC
	5mUJha9+Hh27oT7WWaQ/LRX9vD5C+XmTgLvQSpd+gAaylchZgNJSnouH0vGFc4umfDxs
	Hg+9VTXVVo+RnTmIYEcP9vpxDuM1By7gyq4Ino/vfAlOtq4uYBWxsl/qmGCZbFxRTJYn
	NZxuyDSms7BzL81x7K9qest10+VVexxrNpuFr72cp868OcyHdbeDKDIMvstKhk7WWOQK
	AAnBbcAh+qmpDajj0Zqdp4j3yXzFhjB5uBx3EkB5aiimS5KXbSpRC6LMYuxJ8ZG7KZw5
	KH+g==
X-Gm-Message-State: AOUpUlHI1NUGpNhmPA5RCnDMJmLx4D1tDVOdlvEkJ6z2iE//SyO9OQuY
	UJkCdJEmLdB2s3Fd94GIsKA4Zw==
X-Google-Smtp-Source: 
 AAOMgpfqkLIzrEU1dp27XWIVMa+Si+4Apuxc0t9uKLn3/ucqwyKr/XBuBc42aGF2XgV/+YohH05ZcQ==
X-Received: by 2002:a62:89d8:: with SMTP id
	n85-v6mr2553257pfk.83.1532363308728;
	Mon, 23 Jul 2018 09:28:28 -0700 (PDT)
Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead])
	by smtp.gmail.com with ESMTPSA id
	h69-v6sm26764647pfh.13.2018.07.23.09.28.27
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 23 Jul 2018 09:28:27 -0700 (PDT)
From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
	Juha-Matti Tilli <juha-matti.tilli@iki.fi>,
	Yuchung Cheng <ycheng@google.com>,
	Soheil Hassas Yeganeh <soheil@google.com>
Cc: netdev <netdev@vger.kernel.org>, Eric Dumazet <edumazet@google.com>,
	Eric Dumazet <eric.dumazet@gmail.com>
Subject: [PATCH net 2/5] tcp: avoid collapses in tcp_prune_queue() if
	possible
Date: Mon, 23 Jul 2018 09:28:18 -0700
Message-Id: <20180723162821.11556-3-edumazet@google.com>
X-Mailer: git-send-email 2.18.0.233.g985f88cf7e-goog
In-Reply-To: <20180723162821.11556-1-edumazet@google.com>
References: <20180723162821.11556-1-edumazet@google.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Right after a TCP flow is created, receiving tiny out of order
packets allways hit the condition :

if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
	tcp_clamp_window(sk);

tcp_clamp_window() increases sk_rcvbuf to match sk_rmem_alloc
(guarded by tcp_rmem[2])

Calling tcp_collapse_ofo_queue() in this case is not useful,
and offers a O(N^2) surface attack to malicious peers.

Better not attempt anything before full queue capacity is reached,
forcing attacker to spend lots of resource and allow us to more
easily detect the abuse.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
---
 net/ipv4/tcp_input.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 64e45b279431886a50c8097593b9dbc9e5d75cc1..53289911362a2dea6b1e9d9ce630b29eed87ebb9 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5004,6 +5004,9 @@ static int tcp_prune_queue(struct sock *sk)
 	else if (tcp_under_memory_pressure(sk))
 		tp->rcv_ssthresh = min(tp->rcv_ssthresh, 4U * tp->advmss);
 
+	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)
+		return 0;
+
 	tcp_collapse_ofo_queue(sk);
 	if (!skb_queue_empty(&sk->sk_receive_queue))
 		tcp_collapse(sk, &sk->sk_receive_queue, NULL,