60665 – `int backlog` is assigned to `unsigned short sk_max_ack_backlog` -> overflow

Bug 60665 - `int backlog` is assigned to `unsigned short sk_max_ack_backlog` -> overflow

Summary: `int backlog` is assigned to `unsigned short sk_max_ack_backlog` -> overflow

Status:	RESOLVED PATCH_ALREADY_AVAILABLE

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	IPV4 (show other bugs)
Hardware:	x86-64 Linux

Importance:	P1 high
Assignee:	Stephen Hemminger

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-31 13:32 UTC by ojab
Modified:	2013-08-09 06:45 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	3.11-rc3
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description ojab 2013-07-31 13:32:54 UTC

I'm not sure that my analysis is correct, but:
sk_max_ack_backlog declared as unsigned short @ https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/net/sock.h?id=refs/tags/v3.11-rc3#n377
and we're assigning `int backlog` to it @ https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/net/ipv4/af_inet.c?id=refs/tags/v3.10.4#n239

So if we'll set sysctls "net.ipv4.tcp_abort_on_overflow=1", "net.core.somaxconn=65536" (or larger) and backlog > 65536, we'll have real backlog = `somaxconn mod 65536`.

So AFAIU there shouldn't be possible to set somaxconn > 65535 or this behaviour should be fixed.

Note You need to log in before you can comment on or make changes to this bug.