git.baikalelectronics.ru Git - kernel.git/commit

author	Paolo Abeni <pabeni@redhat.com>
	Thu, 17 Sep 2020 21:07:24 +0000 (23:07 +0200)
committer	David S. Miller <davem@davemloft.net>
	Fri, 18 Sep 2020 01:04:48 +0000 (18:04 -0700)
commit	59ad6d09a7a24577d3cced952a362442ba5ed137
tree	8e34c2405e96264b021eb296b27a805838c5b690	tree \| snapshot
parent	e8c8bc78997e15affa35827a12b68ae0abe27f77	commit \| diff

mptcp: fix integer overflow in mptcp_subflow_discard_data()

Christoph reported an infinite loop in the subflow receive path
under stress condition.

If there are multiple subflows, each of them using a large send
buffer, the delta between the sequence number used by
MPTCP-level retransmission can and the current msk->ack_seq
can be greater than MAX_INT.

In the above scenario, when calling mptcp_subflow_discard_data(),
such delta will be truncated to int, and could result in a negative
number: no bytes will be dropped, and subflow_check_data_avail()
will try again to process the same packet, looping forever.

This change addresses the issue by expanding the 'limit' size to 64
bits, so that overflows are not possible anymore.

Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/87
Fixes: 72cb78ef164e ("mptcp: trigger msk processing even for OoO data")
Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>