integer overflow in TCP LRO
Jack Vogel
jfvogel at gmail.com
Sun Jul 3 00:48:57 UTC 2011
Looks good to me, good work!
Jack
On Sat, Jul 2, 2011 at 2:24 PM, Colin Percival <cperciva at freebsd.org> wrote:
> Hi all,
>
> In tcp_lro_rx it's possible for lro->len to exceed 65536, resulting in an
> integer overflow and 65536 bytes of TCP "packet loss" when tcp_lro_flush
> stuffs lro->len back into an IP header.
>
> It's clear that an attempt was made to avoid overflow
> 339: /* flush packet if required */
> 340: device_mtu = cntl->ifp->if_mtu;
> 341: if (lro->len > (65535 - device_mtu)) {
> but this doesn't work because incoming "packets" can be larger than
> device_mtu bytes if LRO is turned on.
>
> I've attached a patch which fixes this and improves Linux->FreeBSD network
> performance on EC2 cluster compute nodes from 13 Mbps to 4100 Mbps... any
> objections to me committing this?
>
> --
> Colin Percival
> Security Officer, FreeBSD | freebsd.org | The power to serve
> Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
> paranoid
>
More information about the freebsd-net
mailing list