tcp: protect sysctl_tcp_cookie_size reads

Make sure sysctl_tcp_cookie_size is read once in tcp_cookie_size_check(), or we might return an illegal value to caller if sysctl_tcp_cookie_size is changed by another cpu. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: Ben Hutchings <bhutchings@solarflare.com> Cc: William Allen Simpson <william.allen.simpson@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-12-07 12:20:47 +00:00 · 2010-12-07 12:20:47 +00:00 · f19872575f
commit f19872575f
parent ad9f4f50fe
1 changed files with 15 additions and 12 deletions
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@ -385,27 +385,30 @@ struct tcp_out_options {
 */
 static u8 tcp_cookie_size_check(u8 desired)
 {
-	if (desired > 0) {
+	int cookie_size;
 	if (desired > 0)
 		/* previously specified */
 		return desired;
-	}
+
-	if (sysctl_tcp_cookie_size <= 0) {
+	cookie_size = ACCESS_ONCE(sysctl_tcp_cookie_size);
 	if (cookie_size <= 0)
 		/* no default specified */
 		return 0;
-	}
+
-	if (sysctl_tcp_cookie_size <= TCP_COOKIE_MIN) {
+	if (cookie_size <= TCP_COOKIE_MIN)
 		/* value too small, specify minimum */
 		return TCP_COOKIE_MIN;
-	}
+
-	if (sysctl_tcp_cookie_size >= TCP_COOKIE_MAX) {
+	if (cookie_size >= TCP_COOKIE_MAX)
 		/* value too large, specify maximum */
 		return TCP_COOKIE_MAX;
-	}
+
-	if (0x1 & sysctl_tcp_cookie_size) {
+	if (cookie_size & 1)
 		/* 8-bit multiple, illegal, fix it */
-		return (u8)(sysctl_tcp_cookie_size + 0x1);
+		cookie_size++;
-	}
+
-	return (u8)sysctl_tcp_cookie_size;
+	return (u8)cookie_size;
 }
 /* Write previously computed TCP options to the packet.