Re: [058/152] tcp: protect sysctl_tcp_cookie_size reads

From: William Allen Simpson
Date: Thu Jan 06 2011 - 23:09:16 EST

Next message: Zhong, Xin: "RE: [Bug 26242] New: BUG: unable to handle kernel NULL pointerdereference at (null)"
Previous message: Herbert Xu: "hwrng: via_rng - Fix memory scribbling on some CPUs"
In reply to: Greg KH: "[058/152] tcp: protect sysctl_tcp_cookie_size reads"
Next in thread: Eric Dumazet: "Re: [058/152] tcp: protect sysctl_tcp_cookie_size reads"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you for bringing this to my attention. There's been quite a few
changes in the 18 months since this function was originally written.

The overall purpose of the patch seems OK, although most of the patch
has nothing to do with the purported fix.

That is, somebody preferred to alter conditions and remove braces. Seems
harder to read to me! I'm surprised that this passed checkpatch.pl?

On 1/5/11 7:22 PM, Greg KH wrote:

2.6.36-stable review patch. If anyone has any objections, please let us know.

------------------

From: Eric Dumazet<eric.dumazet@xxxxxxxxx>

[ Upstream commit f19872575ff7819a3723154657a497d9bca66b33 ]

Make sure sysctl_tcp_cookie_size is read once in
tcp_cookie_size_check(), or we might return an illegal value to caller
if sysctl_tcp_cookie_size is changed by another cpu.

Signed-off-by: Eric Dumazet<eric.dumazet@xxxxxxxxx>
Cc: Ben Hutchings<bhutchings@xxxxxxxxxxxxxx>
Cc: William Allen Simpson<william.allen.simpson@xxxxxxxxx>
Signed-off-by: David S. Miller<davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman<gregkh@xxxxxxx>
---
net/ipv4/tcp_output.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -391,27 +391,30 @@ struct tcp_out_options {
*/
static u8 tcp_cookie_size_check(u8 desired)
{
- if (desired> 0) {
+ int cookie_size;
+
+ if (desired> 0)
/* previously specified */
return desired;
- }
- if (sysctl_tcp_cookie_size<= 0) {
+
+ cookie_size = ACCESS_ONCE(sysctl_tcp_cookie_size);
+ if (cookie_size<= 0)
/* no default specified */
return 0;
- }
- if (sysctl_tcp_cookie_size<= TCP_COOKIE_MIN) {
+
+ if (cookie_size<= TCP_COOKIE_MIN)
/* value too small, specify minimum */
return TCP_COOKIE_MIN;
- }
- if (sysctl_tcp_cookie_size>= TCP_COOKIE_MAX) {
+
+ if (cookie_size>= TCP_COOKIE_MAX)
/* value too large, specify maximum */
return TCP_COOKIE_MAX;
- }
- if (0x1& sysctl_tcp_cookie_size) {
+
+ if (cookie_size& 1)
/* 8-bit multiple, illegal, fix it */
- return (u8)(sysctl_tcp_cookie_size + 0x1);
- }
- return (u8)sysctl_tcp_cookie_size;
+ cookie_size++;
+
+ return (u8)cookie_size;
}

/* Write previously computed TCP options to the packet.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zhong, Xin: "RE: [Bug 26242] New: BUG: unable to handle kernel NULL pointerdereference at (null)"
Previous message: Herbert Xu: "hwrng: via_rng - Fix memory scribbling on some CPUs"
In reply to: Greg KH: "[058/152] tcp: protect sysctl_tcp_cookie_size reads"
Next in thread: Eric Dumazet: "Re: [058/152] tcp: protect sysctl_tcp_cookie_size reads"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]