On Fri, Mar 03, 2017 at 04:58:18PM +0100, [email protected] wrote: > Hi, > > here is a patch which fixes an integer overflow in the computation of > adaptive timeouts. The effect of this integer overflow is that > depending on timeout values, legitimate established connection states > can be evicted immediately (although other states with shorter > timeouts would be available but that's irrelevant). > > Examples of such values would be: > > timeout tcp.established 86400s (default) > limit states 200000 > > leads to a computed timeout of exactly 0 when the number of states is > 140579. > > While this condition is true, if the flush routine stumbles upon an > established connection, it is immediately dropped. This is not > guaranteed to happen because the flush routine checks only > (100/interval)% of the states each second. > > Here are values for a lower number of states in order to help > reproduce the problem: > > timeout tcp.established 1048576s > limit states 6830 > > the 4100th state may lead to the eviction of an established connection. > > We tried to provide the least intrusive patch and it works for us; > feel free to use it. >
Hi Mathieu, I committed more or less your version of the diff this morning. Only change I did was making timeout unsigned. Thanks for the report. -- :wq Claudio
