Skip to main content

Browse the archive

Revision ba91c49dedbde758ba0b72f57ac90b06ddf8e548 authored by Maxim Mikityanskiy on 10 June 2021, 16:40:31 UTC, committed by David S. Miller on 10 June 2021, 21:26:18 UTC 
sch_cake: Fix out of bounds when parsing TCP options and header
 
The TCP option parser in cake qdisc (cake_get_tcpopt and
cake_tcph_may_drop) could read one byte out of bounds. When the length
is 1, the execution flow gets into the loop, reads one byte of the
opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
one more byte, which exceeds the length of 1.

This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

v2 changes:

Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP
header. Although it wasn't strictly an out-of-bounds access (memory was
allocated), garbage values could be read where CAKE expected the TCP
header if doff was smaller than 5.

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 07718be
Raw File
rds_single_path.h 
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _RDS_RDS_SINGLE_H
#define _RDS_RDS_SINGLE_H

#define	c_xmit_rm		c_path[0].cp_xmit_rm
#define	c_xmit_sg		c_path[0].cp_xmit_sg
#define	c_xmit_hdr_off		c_path[0].cp_xmit_hdr_off
#define	c_xmit_data_off		c_path[0].cp_xmit_data_off
#define	c_xmit_atomic_sent	c_path[0].cp_xmit_atomic_sent
#define	c_xmit_rdma_sent	c_path[0].cp_xmit_rdma_sent
#define	c_xmit_data_sent	c_path[0].cp_xmit_data_sent
#define	c_lock			c_path[0].cp_lock
#define c_next_tx_seq		c_path[0].cp_next_tx_seq
#define c_send_queue		c_path[0].cp_send_queue
#define c_retrans		c_path[0].cp_retrans
#define c_next_rx_seq		c_path[0].cp_next_rx_seq
#define c_transport_data	c_path[0].cp_transport_data
#define c_state			c_path[0].cp_state
#define c_send_gen		c_path[0].cp_send_gen
#define c_flags			c_path[0].cp_flags
#define c_reconnect_jiffies	c_path[0].cp_reconnect_jiffies
#define c_send_w		c_path[0].cp_send_w
#define c_recv_w		c_path[0].cp_recv_w
#define c_conn_w		c_path[0].cp_conn_w
#define c_down_w		c_path[0].cp_down_w
#define c_cm_lock		c_path[0].cp_cm_lock
#define c_waitq			c_path[0].cp_waitq
#define c_unacked_packets	c_path[0].cp_unacked_packets
#define c_unacked_bytes		c_path[0].cp_unacked_bytes

#endif /* _RDS_RDS_SINGLE_H */
back to top