Revert "net: increase fragment memory usage limits"

This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.

Revert commit as mitigation to FragmentSmack (CVE-2018-5391)
[bwh: Adjust context to apply to sid]

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name Revert-net-increase-fragment-memory-usage-limits.patch

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 8f73be4945037c6d0997ec8ab7c3e9da3980a6e4..04a865cb4a83f32525c30f291ffc49cba2bf646e 100644 (file)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -373,8 +373,8 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
            idev->cnf.accept_ra;
 }
 
-#define IPV6_FRAG_HIGH_THRESH  (4 * 1024*1024) /* 4194304 */
-#define IPV6_FRAG_LOW_THRESH   (3 * 1024*1024) /* 3145728 */
+#define IPV6_FRAG_HIGH_THRESH  (256 * 1024)    /* 262144 */
+#define IPV6_FRAG_LOW_THRESH   (192 * 1024)    /* 196608 */
 #define IPV6_FRAG_TIMEOUT      (60 * HZ)       /* 60 seconds */
 
 int __ipv6_addr_type(const struct in6_addr *addr);

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index d14d741fb05e571d6d0b03248da77fd993debdee..bd10399eb916b8f270875cdc82243b4b4c1854d3 100644 (file)
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_net(struct net *net)
 {
        int res;
 
-       /* Fragment cache limits.
-        *
-        * The fragment memory accounting code, (tries to) account for
-        * the real memory usage, by measuring both the size of frag
-        * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
-        * and the SKB's truesize.
-        *
-        * A 64K fragment consumes 129736 bytes (44*2944)+200
-        * (1500 truesize == 2944, sizeof(struct ipq) == 200)
-        *
-        * We will commit 4MB at one time. Should we cross that limit
-        * we will prune down to 3MB, making room for approx 8 big 64K
-        * fragments 8x128k.
+       /*
+        * Fragment cache limits. We will commit 256K at one time. Should we
+        * cross that limit we will prune down to 192K. This should cope with
+        * even the most extreme cases without allowing an attacker to
+        * measurably harm machine performance.
         */
-       net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
-       net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
+       net->ipv4.frags.high_thresh = 256 * 1024;
+       net->ipv4.frags.low_thresh = 192 * 1024;
        /*
         * Important NOTE! Fragment queue must be destroyed before MSL expires.
         * RFC791 is wrong proposing to prolongate timer each fragment arrival