From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Date: Fri, 03 Aug 2018 13:36:39 -0700 (PDT) Message-ID: <20180803.133639.1730093521545082783.davem@davemloft.net> References: <1533226925-16783-1-git-send-email-alexey.kodanev@oracle.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, gerrit@erg.abdn.ac.uk, dccp@vger.kernel.org To: alexey.kodanev@oracle.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:39620 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728139AbeHCWec (ORCPT ); Fri, 3 Aug 2018 18:34:32 -0400 In-Reply-To: <1533226925-16783-1-git-send-email-alexey.kodanev@oracle.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Alexey Kodanev Date: Thu, 2 Aug 2018 19:22:05 +0300 > Make sure that the value of "(now - hc->tx_lsndtime) / hc->tx_rto" is > properly limited when shifting 'u32 cwnd' with it, otherwise we can get: ... > Fixes: 113ced1f52e5 ("dccp ccid-2: Perform congestion-window validation") > Signed-off-by: Alexey Kodanev ... > @@ -234,7 +234,7 @@ static void ccid2_cwnd_restart(struct sock *sk, const u32 now) > > /* don't reduce cwnd below the initial window (IW) */ > restart_cwnd = min(cwnd, iwnd); > - cwnd >>= (now - hc->tx_lsndtime) / hc->tx_rto; > + cwnd >>= min((now - hc->tx_lsndtime) / hc->tx_rto, 31U); > hc->tx_cwnd = max(cwnd, restart_cwnd); > > hc->tx_cwnd_stamp = now; Better to mimick the TCP cwnd validation code, something like: s32 delta = now - hc->tx_lsndtime; while ((delta -= hc->tx_rto) > 0 && cwnd > restart_cwnd) cwnd >>= 1; Thanks.