jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

OPENAFS-SA-2017-001: rx: Sanity-check received MTU and twind values

Browse Source 
Rather than blindly trusting the values received in the
(unauthenticated) ack packet trailer, apply some minmial sanity checks
to received values.  natMTU and regular MTU values are subject to
Rx minmium/maximum packet sizes, and the transmit window cannot drop
below one without risk of deadlock.

The maxDgramPackets value that can also be present in the trailer
already has sufficient sanity checking.

Extremely low MTU values (less than 28 == RX_HEADER_SIZE) can cause us
to set a negative "maximum usable data" size that gets used as an
(unsigned) packet length for subsequent allocation and computation,
triggering an assertion when the connection is used to transmit data.

FIXES 134450

Change-Id: I37698ff166da47a57aa0d1962ae8effc74e30851
This commit is contained in:
Benjamin Kaduk 2017-12-04 17:20:57 -06:00
parent 4fa0ee620c
commit 894555f93a
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/rx/rx.c
View File

@ -4427,12 +4427,20 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
rx_packetread(np, rx_AckDataSize(ap->nAcks) + (int)sizeof(afs_int32),
(int)sizeof(afs_int32), &tSize);
tSize = (afs_uint32) ntohl(tSize);
if (tSize > RX_MAX_PACKET_SIZE)
tSize = RX_MAX_PACKET_SIZE;
if (tSize < RX_MIN_PACKET_SIZE)
tSize = RX_MIN_PACKET_SIZE;
peer->natMTU = rxi_AdjustIfMTU(MIN(tSize, peer->ifMTU));
/* Get the maximum packet size to send to this peer */
rx_packetread(np, rx_AckDataSize(ap->nAcks), (int)sizeof(afs_int32),
&tSize);
tSize = (afs_uint32) ntohl(tSize);
if (tSize > RX_MAX_PACKET_SIZE)
tSize = RX_MAX_PACKET_SIZE;
if (tSize < RX_MIN_PACKET_SIZE)
tSize = RX_MIN_PACKET_SIZE;
tSize = (afs_uint32) MIN(tSize, rx_MyMaxSendSize);
tSize = rxi_AdjustMaxMTU(peer->natMTU, tSize);
@ -4454,6 +4462,10 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
rx_AckDataSize(ap->nAcks) + 2 * (int)sizeof(afs_int32),
(int)sizeof(afs_int32), &tSize);
tSize = (afs_uint32) ntohl(tSize); /* peer's receive window, if it's */
if (tSize == 0)
tSize = 1;
if (tSize >= rx_maxSendWindow)
tSize = rx_maxSendWindow;
if (tSize < call->twind) { /* smaller than our send */
call->twind = tSize; /* window, we must send less... */
call->ssthresh = MIN(call->twind, call->ssthresh);
@ -4475,6 +4487,10 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np,
rx_AckDataSize(ap->nAcks) + 2 * (int)sizeof(afs_int32),
sizeof(afs_int32), &tSize);
tSize = (afs_uint32) ntohl(tSize);
if (tSize == 0)
tSize = 1;
if (tSize >= rx_maxSendWindow)
tSize = rx_maxSendWindow;
/*
* As of AFS 3.5 we set the send window to match the receive window.
*/