integer overflow in TCP LRO
Colin Percival
cperciva at freebsd.org
Sat Jul 2 21:24:38 UTC 2011
Hi all,
In tcp_lro_rx it's possible for lro->len to exceed 65536, resulting in an
integer overflow and 65536 bytes of TCP "packet loss" when tcp_lro_flush
stuffs lro->len back into an IP header.
It's clear that an attempt was made to avoid overflow
339: /* flush packet if required */
340: device_mtu = cntl->ifp->if_mtu;
341: if (lro->len > (65535 - device_mtu)) {
but this doesn't work because incoming "packets" can be larger than
device_mtu bytes if LRO is turned on.
I've attached a patch which fixes this and improves Linux->FreeBSD network
performance on EC2 cluster compute nodes from 13 Mbps to 4100 Mbps... any
objections to me committing this?
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcp_lro.c.diff
Type: text/x-patch
Size: 562 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110702/9553882f/tcp_lro.c.bin
More information about the freebsd-net
mailing list