[PATCH 2.6.19] net/dccp: set safe upper bound for option length

[PATCH 2.6.19] net/dccp: set safe upper bound for option length

[Gerrit Renker]

[DCCP]: current upper limit for option length is 128 bytes;
much less than actually possible. This patch sets a safe upper
bound on option length of 992, under worst-case assumptions.

This patches against the 2.6.19 tree by David.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
---
 dccp.h |   17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)


diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index 272e858..adabf3e 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -40,12 +40,17 @@ extern void dccp_tw_deschedule(struct in
 
 extern void dccp_time_wait(struct sock *sk, int state, int timeo);
 
-/* FIXME: Right size this */
-#define DCCP_MAX_OPT_LEN 128
-
-#define DCCP_MAX_PACKET_HDR 32
-
-#define MAX_DCCP_HEADER  (DCCP_MAX_PACKET_HDR + DCCP_MAX_OPT_LEN + MAX_HEADER)
+/*
+ *  Set safe upper bounds for header and option length. Since Data Offset is 8
+ *  bits (RFC 4340, sec. 5.1), the total header length can never be more than
+ *  8 * 255 = 1020 bytes. The largest possible header length is 28 bytes (X=1):
+ *    - DCCP-Response with ACK Subheader and 4 bytes of Service code      OR
+ *    - DCCP-Reset    with ACK Subheader and 4 bytes of Reset Code fields
+ *  Hence a safe upper bound for the maximum option length is 1020-28 = 992
+ */
+#define DCCP_MAX_OPT_LEN      992
+#define DCCP_MAX_PACKET_HDR    28
+#define MAX_DCCP_HEADER     (1020 + MAX_HEADER)
 
 #define DCCP_TIMEWAIT_LEN (60 * HZ) /* how long to wait to destroy TIME-WAIT
 				     * state, about 60 seconds */

Re: [PATCH 2.6.19] net/dccp: set safe upper bound for option length

[Gerrit Renker]

Stupid me, it should read 4 * 255 = 1020, not 8 * 255; this is
fixed below.

--
diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index 272e858..adabf3e 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -40,12 +40,17 @@ extern void dccp_tw_deschedule(struct in
 
 extern void dccp_time_wait(struct sock *sk, int state, int timeo);
 
-/* FIXME: Right size this */
-#define DCCP_MAX_OPT_LEN 128
-
-#define DCCP_MAX_PACKET_HDR 32
-
-#define MAX_DCCP_HEADER  (DCCP_MAX_PACKET_HDR + DCCP_MAX_OPT_LEN + MAX_HEADER)
+/*
+ *  Set safe upper bounds for header and option length. Since Data Offset is 8
+ *  bits (RFC 4340, sec. 5.1), the total header length can never be more than
+ *  4 * 255 = 1020 bytes. The largest possible header length is 28 bytes (X=1):
+ *    - DCCP-Response with ACK Subheader and 4 bytes of Service code      OR
+ *    - DCCP-Reset    with ACK Subheader and 4 bytes of Reset Code fields
+ *  Hence a safe upper bound for the maximum option length is 1020-28 = 992
+ */
+#define DCCP_MAX_OPT_LEN      992
+#define DCCP_MAX_PACKET_HDR    28
+#define MAX_DCCP_HEADER     (1020 + MAX_HEADER)
 
 #define DCCP_TIMEWAIT_LEN (60 * HZ) /* how long to wait to destroy TIME-WAIT
 				     * state, about 60 seconds */

Re: [PATCH 2.6.19] net/dccp: set safe upper bound for option length

[Arnaldo Carvalho de Melo]

On 9/22/06, Gerrit Renker <gerrit@erg.abdn.ac.uk> wrote:
> [DCCP]: current upper limit for option length is 128 bytes;
> much less than actually possible. This patch sets a safe upper
> bound on option length of 992, under worst-case assumptions.
>
> This patches against the 2.6.19 tree by David.

Gerrit, could you please use my net-2.6.19? I'm going over the pending
dccp patches backlog and it is possible that this patch now doesn't
applies, haven't checked tho as I'm going out, will check in 20
minutes or so.

Ah, and please keep dccp@vger.kernel.org instead of netdev when the
patch is only dccp specific.

Thanks,

- Arnaldo