From owner-svn-src-head@FreeBSD.ORG Thu Sep 4 09:15:44 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0B19E39; Thu, 4 Sep 2014 09:15:44 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C4EF1A4A; Thu, 4 Sep 2014 09:15:44 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s849Fi9M005616; Thu, 4 Sep 2014 09:15:44 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s849FiTT005615; Thu, 4 Sep 2014 09:15:44 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201409040915.s849FiTT005615@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 4 Sep 2014 09:15:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r271089 - head/sys/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2014 09:15:44 -0000 Author: glebius Date: Thu Sep 4 09:15:44 2014 New Revision: 271089 URL: http://svnweb.freebsd.org/changeset/base/271089 Log: Improve r265338. When inserting mbufs into TCP reassembly queue, try to collapse adjacent pieces using m_catpkt(). In best case scenario it copies data and frees mbufs, making mbuf exhaustion attack harder. Suggested by: Jonathan Looney Security: Hardens against remote mbuf exhaustion attack. Sponsored by: Netflix Sponsored by: Nginx, Inc. Modified: head/sys/netinet/tcp_reass.c Modified: head/sys/netinet/tcp_reass.c ============================================================================== --- head/sys/netinet/tcp_reass.c Thu Sep 4 09:07:14 2014 (r271088) +++ head/sys/netinet/tcp_reass.c Thu Sep 4 09:15:44 2014 (r271089) @@ -214,16 +214,29 @@ tcp_reass(struct tcpcb *tp, struct tcphd mq = nq; } - /* Insert the new segment queue entry into place. */ + /* + * Insert the new segment queue entry into place. Try to collapse + * mbuf chains if segments are adjacent. + */ if (mp) { - m->m_nextpkt = mp->m_nextpkt; - mp->m_nextpkt = m; + if (M_TCPHDR(mp)->th_seq + mp->m_pkthdr.len == th->th_seq) + m_catpkt(mp, m); + else { + m->m_nextpkt = mp->m_nextpkt; + mp->m_nextpkt = m; + m->m_pkthdr.pkt_tcphdr = th; + } } else { - m->m_nextpkt = tp->t_segq; - tp->t_segq = m ; + mq = tp->t_segq; + tp->t_segq = m; + if (mq && th->th_seq + *tlenp == M_TCPHDR(mq)->th_seq) { + m->m_nextpkt = mq->m_nextpkt; + m_catpkt(m, mq); + } else + m->m_nextpkt = mq; + m->m_pkthdr.pkt_tcphdr = th; } - m->m_pkthdr.pkt_tcphdr = th; - tp->t_segqlen += m->m_pkthdr.len; + tp->t_segqlen += *tlenp; present: /*