On Fri, Mar 03, 2017 at 16:58 +0100, [email protected] wrote: > Hi, > > here is a patch which fixes an integer overflow in the computation of > adaptive timeouts. The effect of this integer overflow is that > depending on timeout values, legitimate established connection states > can be evicted immediately (although other states with shorter > timeouts would be available but that's irrelevant). > > Examples of such values would be: > > timeout tcp.established 86400s (default) > limit states 200000 > > leads to a computed timeout of exactly 0 when the number of states is > 140579. > > While this condition is true, if the flush routine stumbles upon an > established connection, it is immediately dropped. This is not > guaranteed to happen because the flush routine checks only > (100/interval)% of the states each second. > > Here are values for a lower number of states in order to help > reproduce the problem: > > timeout tcp.established 1048576s > limit states 6830 > > the 4100th state may lead to the eviction of an established connection. > > We tried to provide the least intrusive patch and it works for us; > feel free to use it. > > Regards, > Mathieu > > > --- sys/net/pf.c Mon Jul 18 15:17:44 2016 > +++ sys/net/pf.c Fri Jan 20 13:10:04 2017 > @@ -1223,7 +1223,7 @@ > if (states >= end) > return (0); > > - timeout = timeout * (end - states) / (end - start); > + timeout = (u_int64_t) timeout * (end - states) / (end - start); > } > > return (state->expire + timeout); > EOF >
I think your diff looks alright. I've double checked that it fixes the overflow you're describing.
