Re: [PATCH net 1/1] net: ipv4: bound TCP reordering sysctl writes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Ren Wei <n05ec@lzu.edu.cn>, Neal Cardwell <ncardwell@google.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	netdev@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org,
	chia-yu.chang@nokia-bell-labs.com, ij@kernel.org,
	fmancera@suse.de, yuuchihsu@gmail.com, idosch@nvidia.com,
	herbert@gondor.apana.org.au, yuantan098@gmail.com,
	zcliangcn@gmail.com, bird@lzu.edu.cn,
	bronzed_45_vested@icloud.com
Subject: Re: [PATCH net 1/1] net: ipv4: bound TCP reordering sysctl writes
Date: Thu, 11 Jun 2026 10:21:34 +0100	[thread overview]
Message-ID: <20260611102134.5886fe04@pumpkin> (raw)
In-Reply-To: <CANn89iKLKNGE0aqyuCdxTBbRGWwAM0vCup+AL02u1UB-LrTvSw@mail.gmail.com>

On Wed, 10 Jun 2026 10:04:06 -0700
Eric Dumazet <edumazet@google.com> wrote:

> On Wed, Jun 10, 2026 at 9:18 AM Ren Wei <n05ec@lzu.edu.cn> wrote:
> >
> > From: Wyatt Feng <bronzed_45_vested@icloud.com>
> >
> > Reject invalid `net.ipv4.tcp_reordering` values before they reach TCP
> > socket state. The sysctl is stored as an `int` but copied into the
> > `u32` `tp->reordering` field for new sockets, so negative writes wrap
> > to large values.
> >
> > With `tcp_mtu_probing=2`, the wrapped value can overflow the
> > `tcp_mtu_probe()` size calculation and drive the MTU probing path into
> > an out-of-bounds read. Route `tcp_reordering` writes through
> > `proc_dointvec_minmax()` and clamp them to the per-netns range
> > `[1, tcp_max_reordering]`.
> >
...
> Thanks for the patch. I think we can do better.
> 
> Also I do not see a fix in tcp_mtu_probe()?
> 
> What about:
> 
> 
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index c0e85cc171aec099fd5d4897b1a623dd27eaee08..987bc87e255a81680ae5e23ddd01c1f0de4425ec
> 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -1058,6 +1058,9 @@ static struct ctl_table ipv4_net_table[] = {
>                 .data           = &init_net.ipv4.sysctl_tcp_reordering,
>                 .maxlen         = sizeof(int),
>                 .mode           = 0644,
> +               .proc_handler   = proc_dointvec_minmax,
> +               .extra1         = SYSCTL_ONE,
> +               .extra2         = &init_net.ipv4.sysctl_tcp_max_reordering,
>                 .proc_handler   = proc_dointvec
>         },
>         {
> @@ -1293,7 +1296,8 @@ static struct ctl_table ipv4_net_table[] = {
>                 .data           = &init_net.ipv4.sysctl_tcp_max_reordering,
>                 .maxlen         = sizeof(int),
>                 .mode           = 0644,
> -               .proc_handler   = proc_dointvec
> +               .proc_handler   = proc_dointvec_minmax,
> +               .extra1         = SYSCTL_ONE,

Would it be reasonable to put in a 'sanity' upper bound here?

Since tcp_max_reordering can be lowered after tcp_reordering is set
the bound set here isn't 'hard'.
So the same sanity limit for both may be enough?

I also found this 'gem':
void tcp_enter_loss(struct sock *sk)
{
...
	u8 reordering;
...
	reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering);

Which makes be think that someone expected these values to be small.

I don't know what the sane bounds are for either sysctl or tp->reordering
itself (which is u32).

-- David

next prev parent reply	other threads:[~2026-06-11  9:21 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1780979031.git.bronzed_45_vested@icloud.com>
2026-06-10 16:18 ` [PATCH net 1/1] net: ipv4: bound TCP reordering sysctl writes Ren Wei
2026-06-10 17:04   ` Eric Dumazet
2026-06-11  9:21     ` David Laight [this message]
2026-06-11 17:13       ` Eric Dumazet
2026-06-12  2:01         ` Kuniyuki Iwashima
2026-06-11 17:18       ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611102134.5886fe04@pumpkin \
    --to=david.laight.linux@gmail.com \
    --cc=bird@lzu.edu.cn \
    --cc=bronzed_45_vested@icloud.com \
    --cc=chia-yu.chang@nokia-bell-labs.com \
    --cc=edumazet@google.com \
    --cc=fmancera@suse.de \
    --cc=herbert@gondor.apana.org.au \
    --cc=idosch@nvidia.com \
    --cc=ij@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=n05ec@lzu.edu.cn \
    --cc=ncardwell@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=yuantan098@gmail.com \
    --cc=yuuchihsu@gmail.com \
    --cc=zcliangcn@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.