[PATCH 1/1] UBUNTU: SAUCE: Revert "net: increase fragment memory usage limits"
Tyler Hicks
tyhicks at canonical.com
Tue Oct 2 17:29:53 UTC 2018
This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. It
made denial of service attacks on the IP fragment handling easier to
carry out.
CVE-2018-5391
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
include/net/ipv6.h | 4 ++--
net/ipv4/ip_fragment.c | 22 +++++++---------------
2 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 8f73be494503..04a865cb4a83 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -373,8 +373,8 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
idev->cnf.accept_ra;
}
-#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */
-#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */
+#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */
+#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */
#define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */
int __ipv6_addr_type(const struct in6_addr *addr);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index d14d741fb05e..bd10399eb916 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_net(struct net *net)
{
int res;
- /* Fragment cache limits.
- *
- * The fragment memory accounting code, (tries to) account for
- * the real memory usage, by measuring both the size of frag
- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
- * and the SKB's truesize.
- *
- * A 64K fragment consumes 129736 bytes (44*2944)+200
- * (1500 truesize == 2944, sizeof(struct ipq) == 200)
- *
- * We will commit 4MB at one time. Should we cross that limit
- * we will prune down to 3MB, making room for approx 8 big 64K
- * fragments 8x128k.
+ /*
+ * Fragment cache limits. We will commit 256K at one time. Should we
+ * cross that limit we will prune down to 192K. This should cope with
+ * even the most extreme cases without allowing an attacker to
+ * measurably harm machine performance.
*/
- net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
- net->ipv4.frags.low_thresh = 3 * 1024 * 1024;
+ net->ipv4.frags.high_thresh = 256 * 1024;
+ net->ipv4.frags.low_thresh = 192 * 1024;
/*
* Important NOTE! Fragment queue must be destroyed before MSL expires.
* RFC791 is wrong proposing to prolongate timer each fragment arrival
--
2.7.4
More information about the kernel-team
mailing list