First published: Tue Jul 31 2012(Updated: )
A peer (or local user) may cause TCP to use a nominal MSS of as little as 88 (actual MSS of 76 with timestamps). Given that we have a sufficiently prodigious local sender and the peer ACKs quickly enough, it is nevertheless possible to grow the window for such a connection to the point that we will try to send just under 64K at once. This results in a single skb that expands to 861 segments. In some drivers with TSO support, such an skb will require hundreds of DMA descriptors; a substantial fraction of a TX ring or even more than a full ring. The TX queue selected for the skb may stall and trigger the TX watchdog repeatedly (since the problem skb will be retried after the TX reset). Upstream patch: <a href="http://www.spinics.net/lists/netdev/msg206332.html">http://www.spinics.net/lists/netdev/msg206332.html</a> References: <a href="http://seclists.org/oss-sec/2012/q3/171">http://seclists.org/oss-sec/2012/q3/171</a> Acknowledgements: Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <3.0.44 | |
Linux Linux kernel | >=3.1<3.2.30 | |
Linux Linux kernel | >=3.3<3.4.12 | |
Linux Linux kernel | >=3.5<3.5.5 | |
Canonical Ubuntu Linux | =10.04 | |
Canonical Ubuntu Linux | =11.04 | |
Canonical Ubuntu Linux | =11.10 | |
Canonical Ubuntu Linux | =12.04 | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.5-1 6.12.6-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.