| From 06425c308b92eaf60767bc71d359f4cbc7a561f8 Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Wed, 1 Feb 2017 08:33:53 -0800 |
| Subject: [PATCH] tcp: fix 0 divide in __tcp_select_window() |
| |
| commit 06425c308b92eaf60767bc71d359f4cbc7a561f8 upstream. |
| |
| syszkaller fuzzer was able to trigger a divide by zero, when |
| TCP window scaling is not enabled. |
| |
| SO_RCVBUF can be used not only to increase sk_rcvbuf, also |
| to decrease it below current receive buffers utilization. |
| |
| If mss is negative or 0, just return a zero TCP window. |
| |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Acked-by: Neal Cardwell <ncardwell@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| |
| diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c |
| index 1d5331a1b1dc..8ce50dc3ab8c 100644 |
| --- a/net/ipv4/tcp_output.c |
| +++ b/net/ipv4/tcp_output.c |
| @@ -2518,9 +2518,11 @@ u32 __tcp_select_window(struct sock *sk) |
| int full_space = min_t(int, tp->window_clamp, allowed_space); |
| int window; |
| |
| - if (mss > full_space) |
| + if (unlikely(mss > full_space)) { |
| mss = full_space; |
| - |
| + if (mss <= 0) |
| + return 0; |
| + } |
| if (free_space < (full_space >> 1)) { |
| icsk->icsk_ack.quick = 0; |
| |
| -- |
| 2.12.0 |
| |
