Limit option_len for the TCP_CCALGOOPT option
ClosedPublic
Actions

Authored by tuexen on Nov 28 2018, 10:44 AM.

Details

Reviewers

lstewart
glebius
bz
rrs

Group Reviewers

transport

Commits

rS341503: MFC r341335:
rS341502: MFC r341335:
rS341335: Limit option_len for the TCP_CCALGOOPT.

Summary

When processing the IPPROTO_TCP level socket option TCP_CCALGOOPT, the kernel allocates memory based on the user provided option_len parameter. This option is currently only used by the newreno CC module, where the size used is 8 bytes.

This patch limits the size of allocated memory to 2048 bytes.

This issue was found by using syzkaller.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

tuexen created this revision.Nov 28 2018, 10:44 AM

Herald added a reviewer: transport. · View Herald TranscriptNov 28 2018, 10:44 AM

Herald added a subscriber: imp. · View Herald Transcript

Harbormaster completed remote builds in B21237: Diff 51283.Nov 28 2018, 10:45 AM

glebius accepted this revision.Nov 28 2018, 8:05 PM

tuexen added a reviewer: bz.Nov 29 2018, 5:16 PM

rrs accepted this revision.Nov 29 2018, 5:18 PM

This revision is now accepted and ready to land.Nov 29 2018, 5:18 PM

bz accepted this revision.Nov 29 2018, 5:22 PM

Closed by commit rS341335: Limit option_len for the TCP_CCALGOOPT. (authored by tuexen). · Explain WhyNov 30 2018, 10:51 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

sys/

netinet/

cc/

cc.h

2 lines

tcp_usrreq.c

2 lines

Diff 51430

View Options

head/sys/netinet/cc/cc.h