svn commit: r334737 - releng/11.2/sys/netinet

[Michael Tuexen]

Author: tuexen
Date: Wed Jun  6 21:23:42 2018
New Revision: 334737
URL: https://svnweb.freebsd.org/changeset/base/334737

Log:
  MFstable/11 r334730
  
  Ensure net.inet.tcp.syncache.rexmtlimit is limited by TCP_MAXRXTSHIFT.
  
  If the sysctl variable is set to a value larger than TCP_MAXRXTSHIFT+1,
  the array tcp_syn_backoff[] is accessed out of bounds.
  
  Discussed with:	jtl@
  Approved by:	re (gjb)
  Sponsored by:	Netflix, Inc.

Modified:
  releng/11.2/sys/netinet/tcp_syncache.c
Directory Properties:
  releng/11.2/   (props changed)

Modified: releng/11.2/sys/netinet/tcp_syncache.c
==============================================================================
--- releng/11.2/sys/netinet/tcp_syncache.c	Wed Jun  6 20:32:39 2018	(r334736)
+++ releng/11.2/sys/netinet/tcp_syncache.c	Wed Jun  6 21:23:42 2018	(r334737)
@@ -175,8 +175,27 @@ SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, hashsize
     &VNET_NAME(tcp_syncache.hashsize), 0,
     "Size of TCP syncache hashtable");
 
-SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, rexmtlimit, CTLFLAG_VNET | CTLFLAG_RW,
+static int
+sysctl_net_inet_tcp_syncache_rexmtlimit_check(SYSCTL_HANDLER_ARGS)
+{
+	int error;
+	u_int new;
+
+	new = V_tcp_syncache.rexmt_limit;
+	error = sysctl_handle_int(oidp, &new, 0, req);
+	if ((error == 0) && (req->newptr != NULL)) {
+		if (new > TCP_MAXRXTSHIFT)
+			error = EINVAL;
+		else
+			V_tcp_syncache.rexmt_limit = new;
+	}
+	return (error);
+}
+
+SYSCTL_PROC(_net_inet_tcp_syncache, OID_AUTO, rexmtlimit,
+    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW,
     &VNET_NAME(tcp_syncache.rexmt_limit), 0,
+    sysctl_net_inet_tcp_syncache_rexmtlimit_check, "UI",
     "Limit on SYN/ACK retransmissions");
 
 VNET_DEFINE(int, tcp_sc_rst_sock_fail) = 1;