Bug 60665

Summary: `int backlog` is assigned to `unsigned short sk_max_ack_backlog` -> overflow
Product: Networking Reporter: ojab
Component: IPV4Assignee: Stephen Hemminger (stephen)
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: high    
Priority: P1    
Hardware: x86-64   
OS: Linux   
Kernel Version: 3.11-rc3 Subsystem:
Regression: No Bisected commit-id:

Description ojab 2013-07-31 13:32:54 UTC 
I'm not sure that my analysis is correct, but:
sk_max_ack_backlog declared as unsigned short @ https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/net/sock.h?id=refs/tags/v3.11-rc3#n377
and we're assigning `int backlog` to it @ https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/net/ipv4/af_inet.c?id=refs/tags/v3.10.4#n239

So if we'll set sysctls "net.ipv4.tcp_abort_on_overflow=1", "net.core.somaxconn=65536" (or larger) and backlog > 65536, we'll have real backlog = `somaxconn mod 65536`.

So AFAIU there shouldn't be possible to set somaxconn > 65535 or this behaviour should be fixed.