Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c7830576 authored by Eric Dumazet's avatar Eric Dumazet Committed by Greg Kroah-Hartman
Browse files

tcp: avoid integer overflows in tcp_rcv_space_adjust() 



commit 607065bad9931e72207b0cac365d7d4abc06bd99 upstream.

When using large tcp_rmem[2] values (I did tests with 500 MB),
I noticed overflows while computing rcvwin.

Lets fix this before the following patch.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
Acked-by: default avatarWei Wang <weiwan@google.com>
Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
[Backport: sysctl_tcp_rmem is not Namespace-ify'd in older kernels]
Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 4ff12f87

include/linux/tcp.h

+1 −1
Original line number Diff line number Diff line
@@ -292,7 +292,7 @@ struct tcp_sock { 


/* Receiver queue space */

	struct {

		int	space;

		u32	space;

		u32	seq;

		u32	time;

	} rcvq_space;

net/ipv4/tcp_input.c

+6 −4
Original line number Diff line number Diff line
@@ -550,8 +550,8 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk, 
void tcp_rcv_space_adjust(struct sock *sk)

{

	struct tcp_sock *tp = tcp_sk(sk);

	u32 copied;

	int time;

	int copied;



	time = tcp_time_stamp - tp->rcvq_space.time;

	if (time < (tp->rcv_rtt_est.rtt >> 3) || tp->rcv_rtt_est.rtt == 0)
@@ -573,12 +573,13 @@ void tcp_rcv_space_adjust(struct sock *sk) 


	if (sysctl_tcp_moderate_rcvbuf &&

	    !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {

		int rcvwin, rcvmem, rcvbuf;

		int rcvmem, rcvbuf;

		u64 rcvwin;



		/* minimal window to cope with packet losses, assuming

		 * steady state. Add some cushion because of small variations.

		 */

		rcvwin = (copied << 1) + 16 * tp->advmss;

		rcvwin = ((u64)copied << 1) + 16 * tp->advmss;



		/* If rate increased by 25%,

		 *	assume slow start, rcvwin = 3 * copied
@@ -598,7 +599,8 @@ void tcp_rcv_space_adjust(struct sock *sk) 
		while (tcp_win_from_space(rcvmem) < tp->advmss)

			rcvmem += 128;



		rcvbuf = min(rcvwin / tp->advmss * rcvmem, sysctl_tcp_rmem[2]);

		do_div(rcvwin, tp->advmss);

		rcvbuf = min_t(u64, rcvwin * rcvmem, sysctl_tcp_rmem[2]);

		if (rcvbuf > sk->sk_rcvbuf) {

			sk->sk_rcvbuf = rcvbuf;