tcp: CVE-2019-11479

tcp: add tcp_min_snd_mss sysctl tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11479 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8e39cbc03dafa3731d22533f869bf326c0e6e6f8 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7e9096287352d0416f3caa0919c90bd9ed2f68d3 Change-Id: I75cade9036c762b5a2cc4512b87fcf96a66f11a0 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 12:12:49 +0200
committer: Adrian Stratulat <Adrian.Stratulat@enea.com> 2019-07-12 14:53:24 +0200
commit: da9b21cafedbe210b4d6b399e513a21017fee7c1 (patch)
tree: ac8cf2a1e16ef4b9cecdf4214b2e08a481aeb947
parent: f095fec9a8e21c24ebdc61341bed46d469bd1384 (diff)
download: enea-kernel-cache-da9b21cafedbe210b4d6b399e513a21017fee7c1.tar.gz
3 files changed, 190 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index ad03493..18412cb 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -48,3 +48,5 @@ patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch
 patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch
 patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
 patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
+patch CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
+patch CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
diff --git a/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
new file mode 100644
index 0000000..9cb6467
--- /dev/null
+++ b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
@@ -0,0 +1,142 @@
+From 8e39cbc03dafa3731d22533f869bf326c0e6e6f8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:44:24 -0700
+Subject: [PATCH] tcp: add tcp_min_snd_mss sysctl
+commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.
+Some TCP peers announce a very small MSS option in their SYN and/or
+SYN/ACK messages.
+This forces the stack to send packets with a very high network/cpu
+overhead.
+Linux has enforced a minimal value of 48. Since this value includes
+the size of TCP options, and that the options can consume up to 40
+bytes, this means that each segment can include only 8 bytes of payload.
+In some cases, it can be useful to increase the minimal value
+to a saner value.
+We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
+reasons.
+Note that TCP_MAXSEG socket option enforces a minimal value
+of (TCP_MIN_MSS). David Miller increased this minimal value
+in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
+from 64 to 88.
+We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
+CVE-2019-11479 -- tcp mss hardcoded to 48
+CVE: CVE-2019-11479
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8e39cbc03dafa3731d22533f869bf326c0e6e6f8]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Suggested-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Documentation/networking/ip-sysctl.txt |  8 ++++++++
+ include/net/netns/ipv4.h               |  1 +
+ net/ipv4/sysctl_net_ipv4.c             | 11 +++++++++++
+ net/ipv4/tcp_ipv4.c                    |  1 +
+ net/ipv4/tcp_output.c                  |  3 +--
+ 5 files changed, 22 insertions(+), 2 deletions(-)
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 0335285f3918..49935d5bb5c6 100644
+--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
+@@ -230,6 +230,14 @@ tcp_base_mss - INTEGER
+        Path MTU discovery (MTU probing).  If MTU probing is enabled,
+        this is the initial MSS used by the connection.
+ 
+tcp_min_snd_mss - INTEGER
+       TCP SYN and SYNACK messages usually advertise an ADVMSS option,
+       as described in RFC 1122 and RFC 6691.
+       If this ADVMSS option is smaller than tcp_min_snd_mss,
+       it is silently capped to tcp_min_snd_mss.
+
+       Default : 48 (at least 8 bytes of payload per segment)
+
+ tcp_congestion_control - STRING
+        Set the congestion control algorithm to be used for new
+        connections. The algorithm "reno" is always available, but
+diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
+index 7adf4386ac8f..bf619a67ec03 100644
+--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
+@@ -94,6 +94,7 @@ struct netns_ipv4 {
+ #endif
+        int sysctl_tcp_mtu_probing;
+        int sysctl_tcp_base_mss;
+       int sysctl_tcp_min_snd_mss;
+        int sysctl_tcp_probe_threshold;
+        u32 sysctl_tcp_probe_interval;
+ 
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 85713adf2770..e202babb14d6 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -35,6 +35,8 @@ static int ip_local_port_range_min[] = { 1, 1 };
+ static int ip_local_port_range_max[] = { 65535, 65535 };
+ static int tcp_adv_win_scale_min = -31;
+ static int tcp_adv_win_scale_max = 31;
+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
+static int tcp_min_snd_mss_max = 65535;
+ static int ip_ttl_min = 1;
+ static int ip_ttl_max = 255;
+ static int tcp_syn_retries_min = 1;
+@@ -838,6 +840,15 @@ static struct ctl_table ipv4_net_table[] = {
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+       {
+               .procname       = "tcp_min_snd_mss",
+               .data           = &init_net.ipv4.sysctl_tcp_min_snd_mss,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &tcp_min_snd_mss_min,
+               .extra2         = &tcp_min_snd_mss_max,
+       },
+        {
+                .procname       = "tcp_probe_threshold",
+                .data           = &init_net.ipv4.sysctl_tcp_probe_threshold,
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 82c1064ff4aa..848f2c1da8a5 100644
+--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
+@@ -2456,6 +2456,7 @@ static int __net_init tcp_sk_init(struct net *net)
+        net->ipv4.sysctl_tcp_ecn_fallback = 1;
+ 
+        net->ipv4.sysctl_tcp_base_mss = TCP_BASE_MSS;
+       net->ipv4.sysctl_tcp_min_snd_mss = TCP_MIN_SND_MSS;
+        net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD;
+        net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 123b2d8fde46..d8c6b833f0ce 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1360,8 +1360,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
+        mss_now -= icsk->icsk_ext_hdr_len;
+ 
+        /* Then reserve room for full set of TCP options and 8 bytes of data */
+-       if (mss_now < TCP_MIN_SND_MSS)
+-               mss_now = TCP_MIN_SND_MSS;
+       mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss);
+        return mss_now;
+ }
+ 
+-- 
+2.20.1
diff --git a/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch b/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
new file mode 100644
index 0000000..5576fcf
--- /dev/null
+++ b/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
@@ -0,0 +1,46 @@
+From 7e9096287352d0416f3caa0919c90bd9ed2f68d3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:47:27 -0700
+Subject: [PATCH] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
+commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 upstream.
+If mtu probing is enabled tcp_mtu_probing() could very well end up
+with a too small MSS.
+Use the new sysctl tcp_min_snd_mss to make sure MSS search
+is performed in an acceptable range.
+CVE-2019-11479 -- tcp mss hardcoded to 48
+CVE: CVE-2019-11479 fix
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7e9096287352d0416f3caa0919c90bd9ed2f68d3]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Cc: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/tcp_timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
+index 69523389f067..d9e364c4863a 100644
+--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
+@@ -140,6 +140,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk)
+                        mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1;
+                        mss = min(net->ipv4.sysctl_tcp_base_mss, mss);
+                        mss = max(mss, 68 - tp->tcp_header_len);
+                       mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss);
+                        icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss);
+                        tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
+                }
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 12:12:49 +0200
committer	Adrian Stratulat <Adrian.Stratulat@enea.com>	2019-07-12 14:53:24 +0200
commit	da9b21cafedbe210b4d6b399e513a21017fee7c1 (patch)
tree	ac8cf2a1e16ef4b9cecdf4214b2e08a481aeb947
parent	f095fec9a8e21c24ebdc61341bed46d469bd1384 (diff)
download	enea-kernel-cache-da9b21cafedbe210b4d6b399e513a21017fee7c1.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index ad03493..18412cb 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -48,3 +48,5 @@ patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch
48	patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch	48	patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch
49	patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch	49	patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
50	patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch	50	patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
		51	patch CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
		52	patch CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch


diff --git a/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch new file mode 100644 index 0000000..9cb6467 --- /dev/null +++ b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
@@ -0,0 +1,142 @@
		1	From 8e39cbc03dafa3731d22533f869bf326c0e6e6f8 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sat, 15 Jun 2019 17:44:24 -0700
		4	Subject: [PATCH] tcp: add tcp_min_snd_mss sysctl
		5
		6	commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.
		7
		8	Some TCP peers announce a very small MSS option in their SYN and/or
		9	SYN/ACK messages.
		10
		11	This forces the stack to send packets with a very high network/cpu
		12	overhead.
		13
		14	Linux has enforced a minimal value of 48. Since this value includes
		15	the size of TCP options, and that the options can consume up to 40
		16	bytes, this means that each segment can include only 8 bytes of payload.
		17
		18	In some cases, it can be useful to increase the minimal value
		19	to a saner value.
		20
		21	We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
		22	reasons.
		23
		24	Note that TCP_MAXSEG socket option enforces a minimal value
		25	of (TCP_MIN_MSS). David Miller increased this minimal value
		26	in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
		27	from 64 to 88.
		28
		29	We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
		30
		31	CVE-2019-11479 -- tcp mss hardcoded to 48
		32
		33	CVE: CVE-2019-11479
		34	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8e39cbc03dafa3731d22533f869bf326c0e6e6f8]
		35
		36	Signed-off-by: Eric Dumazet <edumazet@google.com>
		37	Suggested-by: Jonathan Looney <jtl@netflix.com>
		38	Acked-by: Neal Cardwell <ncardwell@google.com>
		39	Cc: Yuchung Cheng <ycheng@google.com>
		40	Cc: Tyler Hicks <tyhicks@canonical.com>
		41	Cc: Bruce Curtis <brucec@netflix.com>
		42	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
		43	Signed-off-by: David S. Miller <davem@davemloft.net>
		44	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		45	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		46	---
		47	Documentation/networking/ip-sysctl.txt \| 8 ++++++++
		48	include/net/netns/ipv4.h \| 1 +
		49	net/ipv4/sysctl_net_ipv4.c \| 11 +++++++++++
		50	net/ipv4/tcp_ipv4.c \| 1 +
		51	net/ipv4/tcp_output.c \| 3 +--
		52	5 files changed, 22 insertions(+), 2 deletions(-)
		53
		54	diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
		55	index 0335285f3918..49935d5bb5c6 100644
		56	--- a/Documentation/networking/ip-sysctl.txt
		57	+++ b/Documentation/networking/ip-sysctl.txt
		58	@@ -230,6 +230,14 @@ tcp_base_mss - INTEGER
		59	Path MTU discovery (MTU probing). If MTU probing is enabled,
		60	this is the initial MSS used by the connection.
		61
		62	+tcp_min_snd_mss - INTEGER
		63	+ TCP SYN and SYNACK messages usually advertise an ADVMSS option,
		64	+ as described in RFC 1122 and RFC 6691.
		65	+ If this ADVMSS option is smaller than tcp_min_snd_mss,
		66	+ it is silently capped to tcp_min_snd_mss.
		67	+
		68	+ Default : 48 (at least 8 bytes of payload per segment)
		69	+
		70	tcp_congestion_control - STRING
		71	Set the congestion control algorithm to be used for new
		72	connections. The algorithm "reno" is always available, but
		73	diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
		74	index 7adf4386ac8f..bf619a67ec03 100644
		75	--- a/include/net/netns/ipv4.h
		76	+++ b/include/net/netns/ipv4.h
		77	@@ -94,6 +94,7 @@ struct netns_ipv4 {
		78	#endif
		79	int sysctl_tcp_mtu_probing;
		80	int sysctl_tcp_base_mss;
		81	+ int sysctl_tcp_min_snd_mss;
		82	int sysctl_tcp_probe_threshold;
		83	u32 sysctl_tcp_probe_interval;
		84
		85	diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
		86	index 85713adf2770..e202babb14d6 100644
		87	--- a/net/ipv4/sysctl_net_ipv4.c
		88	+++ b/net/ipv4/sysctl_net_ipv4.c
		89	@@ -35,6 +35,8 @@ static int ip_local_port_range_min[] = { 1, 1 };
		90	static int ip_local_port_range_max[] = { 65535, 65535 };
		91	static int tcp_adv_win_scale_min = -31;
		92	static int tcp_adv_win_scale_max = 31;
		93	+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
		94	+static int tcp_min_snd_mss_max = 65535;
		95	static int ip_ttl_min = 1;
		96	static int ip_ttl_max = 255;
		97	static int tcp_syn_retries_min = 1;
		98	@@ -838,6 +840,15 @@ static struct ctl_table ipv4_net_table[] = {
		99	.mode = 0644,
		100	.proc_handler = proc_dointvec,
		101	},
		102	+ {
		103	+ .procname = "tcp_min_snd_mss",
		104	+ .data = &init_net.ipv4.sysctl_tcp_min_snd_mss,
		105	+ .maxlen = sizeof(int),
		106	+ .mode = 0644,
		107	+ .proc_handler = proc_dointvec_minmax,
		108	+ .extra1 = &tcp_min_snd_mss_min,
		109	+ .extra2 = &tcp_min_snd_mss_max,
		110	+ },
		111	{
		112	.procname = "tcp_probe_threshold",
		113	.data = &init_net.ipv4.sysctl_tcp_probe_threshold,
		114	diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
		115	index 82c1064ff4aa..848f2c1da8a5 100644
		116	--- a/net/ipv4/tcp_ipv4.c
		117	+++ b/net/ipv4/tcp_ipv4.c
		118	@@ -2456,6 +2456,7 @@ static int __net_init tcp_sk_init(struct net *net)
		119	net->ipv4.sysctl_tcp_ecn_fallback = 1;
		120
		121	net->ipv4.sysctl_tcp_base_mss = TCP_BASE_MSS;
		122	+ net->ipv4.sysctl_tcp_min_snd_mss = TCP_MIN_SND_MSS;
		123	net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD;
		124	net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
		125
		126	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
		127	index 123b2d8fde46..d8c6b833f0ce 100644
		128	--- a/net/ipv4/tcp_output.c
		129	+++ b/net/ipv4/tcp_output.c
		130	@@ -1360,8 +1360,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
		131	mss_now -= icsk->icsk_ext_hdr_len;
		132
		133	/* Then reserve room for full set of TCP options and 8 bytes of data */
		134	- if (mss_now < TCP_MIN_SND_MSS)
		135	- mss_now = TCP_MIN_SND_MSS;
		136	+ mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss);
		137	return mss_now;
		138	}
		139
		140	--
		141	2.20.1
		142


diff --git a/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch b/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch new file mode 100644 index 0000000..5576fcf --- /dev/null +++ b/patches/cve/CVE-2019-11479-tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
@@ -0,0 +1,46 @@
		1	From 7e9096287352d0416f3caa0919c90bd9ed2f68d3 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sat, 15 Jun 2019 17:47:27 -0700
		4	Subject: [PATCH] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
		5
		6	commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 upstream.
		7
		8	If mtu probing is enabled tcp_mtu_probing() could very well end up
		9	with a too small MSS.
		10
		11	Use the new sysctl tcp_min_snd_mss to make sure MSS search
		12	is performed in an acceptable range.
		13
		14	CVE-2019-11479 -- tcp mss hardcoded to 48
		15
		16	CVE: CVE-2019-11479 fix
		17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7e9096287352d0416f3caa0919c90bd9ed2f68d3]
		18
		19	Signed-off-by: Eric Dumazet <edumazet@google.com>
		20	Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com>
		21	Cc: Jonathan Looney <jtl@netflix.com>
		22	Acked-by: Neal Cardwell <ncardwell@google.com>
		23	Cc: Yuchung Cheng <ycheng@google.com>
		24	Cc: Tyler Hicks <tyhicks@canonical.com>
		25	Cc: Bruce Curtis <brucec@netflix.com>
		26	Signed-off-by: David S. Miller <davem@davemloft.net>
		27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		28	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		29	---
		30	net/ipv4/tcp_timer.c \| 1 +
		31	1 file changed, 1 insertion(+)
		32
		33	diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
		34	index 69523389f067..d9e364c4863a 100644
		35	--- a/net/ipv4/tcp_timer.c
		36	+++ b/net/ipv4/tcp_timer.c
		37	@@ -140,6 +140,7 @@ static void tcp_mtu_probing(struct inet_connection_sock icsk, struct sock sk)
		38	mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1;
		39	mss = min(net->ipv4.sysctl_tcp_base_mss, mss);
		40	mss = max(mss, 68 - tp->tcp_header_len);
		41	+ mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss);
		42	icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss);
		43	tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
		44	}
		45	--
		46	2.20.1