Re: [PATCH net,v3] tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

From: Kuniyuki Iwashima
Date: Fri Oct 21 2022 - 13:17:45 EST


From: Lu Wei <luwei32@xxxxxxxxxx>
Date: Fri, 21 Oct 2022 12:06:22 +0800
> The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and
> in tcp_add_backlog(), the variable limit is caculated by adding
> sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value
> of int and overflow. This patch reduces the limit budget by
> halving the sndbuf to solve this issue since ACK packets are much
> smaller than the payload.
>
> Fixes: c9c3321257e1 ("tcp: add tcp_add_backlog()")
> Signed-off-by: Lu Wei <luwei32@xxxxxxxxxx>

Acked-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>


> ---
> net/ipv4/tcp_ipv4.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 7a250ef9d1b7..87d440f47a70 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1874,11 +1874,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
> __skb_push(skb, hdrlen);
>
> no_coalesce:
> + limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
> +
> /* Only socket owner can try to collapse/prune rx queues
> * to reduce memory overhead, so add a little headroom here.
> * Few sockets backlog are possibly concurrently non empty.
> */
> - limit = READ_ONCE(sk->sk_rcvbuf) + READ_ONCE(sk->sk_sndbuf) + 64*1024;
> + limit += 64 * 1024;
>
> if (unlikely(sk_add_backlog(sk, skb, limit))) {
> bh_unlock_sock(sk);
> --
> 2.31.1