tcp: fix potential huge kmalloc() calls in TCP_REPAIR
authorEric Dumazet <edumazet@google.com>
Thu, 19 Nov 2015 05:03:33 +0000 (21:03 -0800)
committerDavid S. Miller <davem@davemloft.net>
Fri, 20 Nov 2015 15:57:33 +0000 (10:57 -0500)
commit5d4c9bfbabdb1d497f21afd81501e5c54b0c85d9
tree2d59e7176c7c351ca7113839fa6f8db42762d43e
parentdd52bc2b4ed16db66f9347aa263d8f1dc889b4b6
tcp: fix potential huge kmalloc() calls in TCP_REPAIR

tcp_send_rcvq() is used for re-injecting data into tcp receive queue.

Problems :

- No check against size is performed, allowed user to fool kernel in
  attempting very large memory allocations, eventually triggering
  OOM when memory is fragmented.

- In case of fault during the copy we do not return correct errno.

Lets use alloc_skb_with_frags() to cook optimal skbs.

Fixes: 292e8d8c8538 ("tcp: Move rcvq sending to tcp_input.c")
Fixes: c0e88ff0f256 ("tcp: Repair socket queues")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_input.c