CVSROOT: /cvs Module name: src Changes by: bl...@cvs.openbsd.org 2019/07/10 12:45:31
Modified files: sys/netinet : tcp.h tcp_input.c Log message: Received SACK options are managed by a linked list at the TCP socket. There is a global tunable limit net.inet.tcp.sackholelimit, default is 32768. If an attacker manages to attach all these sack holes to a few TCP connections, the lists may grow long. Traversing them might cause higher CPU consumption on the victim machine. In practice such a situation is hard to create as the TCP retransmit and 2*msl timer flush the list periodically. For additional protection, enforce a per connection limit of 128 SACK holes in the list. reported by Reuven Plevinsky and Tal Vainshtein discussed with claudio@ and procter@; OK deraadt@