APPLIED T/X/Z: [CVE-2017-14106][T/X/Z SRU][PATCH] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

Stefan Bader stefan.bader at canonical.com
Fri Sep 15 13:34:19 UTC 2017


On 11.09.2017 08:23, Po-Hsu Lin wrote:
> From: Wei Wang <weiwan at google.com>
> 
> CVE-2017-14106
> 
> When tcp_disconnect() is called, inet_csk_delack_init() sets
> icsk->icsk_ack.rcv_mss to 0.
> This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
> __tcp_select_window() call path to have division by 0 issue.
> So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
> 
> Reported-by: Andrey Konovalov  <andreyknvl at google.com>
> Signed-off-by: Wei Wang <weiwan at google.com>
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Signed-off-by: Neal Cardwell <ncardwell at google.com>
> Signed-off-by: Yuchung Cheng <ycheng at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
>  net/ipv4/tcp.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 16b5118..46c45a0 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -2202,6 +2202,10 @@ int tcp_disconnect(struct sock *sk, int flags)
>  	tcp_set_ca_state(sk, TCP_CA_Open);
>  	tcp_clear_retrans(tp);
>  	inet_csk_delack_init(sk);
> +	/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
> +	 * issue in __tcp_select_window()
> +	 */
> +	icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
>  	tcp_init_send_head(sk);
>  	memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
>  	__sk_dst_reset(sk);
> 
Applied to Trusty, Xenial, and Zesty master-next

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170915/a4aab1f2/attachment.sig>


More information about the kernel-team mailing list