From: Salvatore Bonaccorso Date: Sat, 28 Jul 2018 16:48:31 +0200 Subject: [PATCH] Revert "net: increase fragment memory usage limits" This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. Revert commit as mitigation to FragmentSmack (CVE-2018-5391) [bwh: Adjust context to apply to sid] --- include/net/ipv6.h | 4 ++-- net/ipv4/ip_fragment.c | 22 +++++++--------------- 2 files changed, 9 insertions(+), 17 deletions(-) --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct idev->cnf.accept_ra; } -#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */ -#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */ +#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */ +#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */ #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */ int __ipv6_addr_type(const struct in6_addr *addr); --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne { int res; - /* Fragment cache limits. - * - * The fragment memory accounting code, (tries to) account for - * the real memory usage, by measuring both the size of frag - * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue)) - * and the SKB's truesize. - * - * A 64K fragment consumes 129736 bytes (44*2944)+200 - * (1500 truesize == 2944, sizeof(struct ipq) == 200) - * - * We will commit 4MB at one time. Should we cross that limit - * we will prune down to 3MB, making room for approx 8 big 64K - * fragments 8x128k. + /* + * Fragment cache limits. We will commit 256K at one time. Should we + * cross that limit we will prune down to 192K. This should cope with + * even the most extreme cases without allowing an attacker to + * measurably harm machine performance. */ - net->ipv4.frags.high_thresh = 4 * 1024 * 1024; - net->ipv4.frags.low_thresh = 3 * 1024 * 1024; + net->ipv4.frags.high_thresh = 256 * 1024; + net->ipv4.frags.low_thresh = 192 * 1024; /* * Important NOTE! Fragment queue must be destroyed before MSL expires. * RFC791 is wrong proposing to prolongate timer each fragment arrival