summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2011-11-23 15:49:31 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-10-22 08:41:44 +0100
commit676d438e25b8b1fe251c1d474fab86187dbc6293 (patch)
treeb68b0175b905dd0c12a350eb7c735a84476f9508
parentf11d481f8f81dec26d3370bcf8f4c1f2d53ccefc (diff)
downloadlwn-676d438e25b8b1fe251c1d474fab86187dbc6293.tar.gz
lwn-676d438e25b8b1fe251c1d474fab86187dbc6293.zip
ipv6: tcp: fix panic in SYN processing
commit c16a98ed91597b40b22b540c6517103497ef8e74 upstream. commit 72a3effaf633bc ([NET]: Size listen hash tables using backlog hint) added a bug allowing inet6_synq_hash() to return an out of bound array index, because of u16 overflow. Bug can happen if system admins set net.core.somaxconn & net.ipv4.tcp_max_syn_backlog sysctls to values greater than 65536 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/ipv6/inet6_connection_sock.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 8a58e8cf6646..aea323c04222 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -85,7 +85,7 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
* request_sock (formerly open request) hash tables.
*/
static u32 inet6_synq_hash(const struct in6_addr *raddr, const __be16 rport,
- const u32 rnd, const u16 synq_hsize)
+ const u32 rnd, const u32 synq_hsize)
{
u32 c;