If mtu probing is enabled tcp_mtu_probing() could very well end up with a too small MSS.
Use the new sysctl tcp_min_snd_mss to make sure MSS search is performed in an acceptable range. CVE-2019-11479 -- tcp mss hardcoded to 48 Signed-off-by: Eric Dumazet <[email protected]> Reported-by: Jonathan Lemon <[email protected]> Cc: Jonathan Looney <[email protected]> Acked-by: Neal Cardwell <[email protected]> Cc: Yuchung Cheng <[email protected]> Cc: Tyler Hicks <[email protected]> Cc: Bruce Curtis <[email protected]> --- net/ipv4/tcp_timer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 5bad937ce779ef8dca42a26dcbb5f1d60a571c73..c801cd37cc2a9c11f2dd4b9681137755e501a538 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -155,6 +155,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; mss = min(net->ipv4.sysctl_tcp_base_mss, mss); mss = max(mss, 68 - tcp_sk(sk)->tcp_header_len); + mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss); icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss); } tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); -- 2.22.0.410.gd8fdbe21b5-goog
