summaryrefslogtreecommitdiffstats
path: root/Documentation/networking/phonet.txt
diff options
context:
space:
mode:
authorAlexey Dobriyan <adobriyan@gmail.com>2010-11-22 13:54:21 +0100
committerDavid S. Miller <davem@davemloft.net>2010-11-28 19:39:45 +0100
commit0147fc058d11bd4009b126d09974d2c8f48fef15 (patch)
treef73f0e82f7774938dd7190c6a810e0ccb2466f2b /Documentation/networking/phonet.txt
parentnetns: Don't leak others' openreq-s in proc (diff)
downloadlinux-0147fc058d11bd4009b126d09974d2c8f48fef15.tar.xz
linux-0147fc058d11bd4009b126d09974d2c8f48fef15.zip
tcp: restrict net.ipv4.tcp_adv_win_scale (#20312)
tcp_win_from_space() does the following: if (sysctl_tcp_adv_win_scale <= 0) return space >> (-sysctl_tcp_adv_win_scale); else return space - (space >> sysctl_tcp_adv_win_scale); "space" is int. As per C99 6.5.7 (3) shifting int for 32 or more bits is undefined behaviour. Indeed, if sysctl_tcp_adv_win_scale is exactly 32, space >> 32 equals space and function returns 0. Which means we busyloop in tcp_fixup_rcvbuf(). Restrict net.ipv4.tcp_adv_win_scale to [-31, 31]. Fix https://bugzilla.kernel.org/show_bug.cgi?id=20312 Steps to reproduce: echo 32 >/proc/sys/net/ipv4/tcp_adv_win_scale wget www.kernel.org [softlockup] Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/networking/phonet.txt')
0 files changed, 0 insertions, 0 deletions