From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Roman Gushchin <klamm@yandex-team.ru>,
Changli Gao <xiaosuo@gmail.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 02/23] net: check net.core.somaxconn sysctl values
Date: Thu, 12 Sep 2013 10:44:58 -0700 [thread overview]
Message-ID: <20130912174452.047792291@linuxfoundation.org> (raw)
In-Reply-To: <20130912174451.748805761@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Gushchin <klamm@yandex-team.ru>
[ Upstream commit 5f671d6b4ec3e6d66c2a868738af2cdea09e7509 ]
It's possible to assign an invalid value to the net.core.somaxconn
sysctl variable, because there is no checks at all.
The sk_max_ack_backlog field of the sock structure is defined as
unsigned short. Therefore, the backlog argument in inet_listen()
shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall
is truncated to the somaxconn value. So, the somaxconn value shouldn't
exceed 65535 (USHRT_MAX).
Also, negative values of somaxconn are meaningless.
before:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
net.core.somaxconn = 65536
$ sysctl -w net.core.somaxconn=-100
net.core.somaxconn = -100
after:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
error: "Invalid argument" setting key "net.core.somaxconn"
$ sysctl -w net.core.somaxconn=-100
error: "Invalid argument" setting key "net.core.somaxconn"
Based on a prior patch from Changli Gao.
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Reported-by: Changli Gao <xiaosuo@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sysctl_net_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -19,6 +19,9 @@
#include <net/sock.h>
#include <net/net_ratelimit.h>
+static int zero = 0;
+static int ushort_max = USHRT_MAX;
+
#ifdef CONFIG_RPS
static int rps_sock_flow_sysctl(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
@@ -197,7 +200,9 @@ static struct ctl_table netns_core_table
.data = &init_net.core.sysctl_somaxconn,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .extra1 = &zero,
+ .extra2 = &ushort_max,
+ .proc_handler = proc_dointvec_minmax
},
{ }
};
next prev parent reply other threads:[~2013-09-12 17:45 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 17:44 [ 00/23] 3.4.62-stable review Greg Kroah-Hartman
2013-09-12 17:44 ` [ 01/23] htb: fix sign extension bug Greg Kroah-Hartman
2013-09-13 5:04 ` [00/23] 3.4.62-stable review Guenter Roeck
2013-09-13 12:35 ` Greg Kroah-Hartman
2013-09-12 17:44 ` Greg Kroah-Hartman [this message]
2013-09-12 17:44 ` [ 03/23] neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup Greg Kroah-Hartman
2013-09-12 17:45 ` [ 04/23] bonding: modify only neigh_parms owned by us Greg Kroah-Hartman
2013-09-12 17:45 ` [ 05/23] fib_trie: remove potential out of bound access Greg Kroah-Hartman
2013-09-12 17:45 ` [ 06/23] tcp: cubic: fix overflow error in bictcp_update() Greg Kroah-Hartman
2013-09-12 17:45 ` [ 07/23] tcp: cubic: fix bug in bictcp_acked() Greg Kroah-Hartman
2013-09-12 17:45 ` [ 08/23] ipv6: dont stop backtracking in fib6_lookup_1 if subtree does not match Greg Kroah-Hartman
2013-09-12 17:45 ` [ 09/23] 8139cp: Fix skb leak in rx_status_loop failure path Greg Kroah-Hartman
2013-09-12 17:45 ` [ 10/23] tun: signedness bug in tun_get_user() Greg Kroah-Hartman
2013-09-12 17:45 ` [ 11/23] ipv6: remove max_addresses check from ipv6_create_tempaddr Greg Kroah-Hartman
2013-09-12 17:45 ` [ 12/23] ipv6: drop packets with multiple fragmentation headers Greg Kroah-Hartman
2013-09-12 17:45 ` [ 13/23] ipv6: Dont depend on per socket memory for neighbour discovery messages Greg Kroah-Hartman
2013-09-12 17:45 ` [ 14/23] net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay Greg Kroah-Hartman
2013-09-12 17:45 ` [ 15/23] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO Greg Kroah-Hartman
2013-09-12 17:45 ` [ 16/23] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv Greg Kroah-Hartman
2013-09-12 17:45 ` [ 17/23] vhost: zerocopy: poll vq in zerocopy callback Greg Kroah-Hartman
2013-09-12 17:45 ` [ 18/23] macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Greg Kroah-Hartman
2013-09-12 17:45 ` [ 19/23] tipc: fix lockdep warning during bearer initialization Greg Kroah-Hartman
2013-09-12 17:45 ` [ 20/23] m32r: consistently use "suffix-$(...)" Greg Kroah-Hartman
2013-09-12 17:45 ` [ 21/23] m32r: add memcpy() for CONFIG_KERNEL_GZIP=y Greg Kroah-Hartman
2013-09-12 17:45 ` [ 22/23] m32r: make memset() global for CONFIG_KERNEL_BZIP2=y Greg Kroah-Hartman
2013-09-12 17:45 ` [ 23/23] Revert "KVM: X86 emulator: fix source operand decoding for 8bit mov[zs]x instructions" Greg Kroah-Hartman
2013-09-13 23:02 ` [ 00/23] 3.4.62-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130912174452.047792291@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=klamm@yandex-team.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.