diff options
| author | Greg Hackmann <ghackmann@google.com> | 2018-08-06 13:06:00 -0700 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2018-11-27 12:48:41 +0100 |
| commit | c8747dd99e18c56f35750b0676ead5235e014e61 (patch) | |
| tree | 13c7796da8529efa507dfafb5112885ae21966bb | |
| parent | 406a9a01c1fab916894abb4a772103e51c6a6551 (diff) | |
ANDROID: Revert "net: increase fragment memory usage limits"
This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.
Bug: 111983486
Change-Id: Ibc7a3076d7ec928dac27c2fd2d1bdaff6cb8c349
Signed-off-by: Greg Hackmann <ghackmann@google.com>
| -rw-r--r-- | include/net/ipv6.h | 4 | ||||
| -rw-r--r-- | net/ipv4/ip_fragment.c | 22 |
2 files changed, 9 insertions, 17 deletions
diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 2145585f1..5a489757f 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -323,8 +323,8 @@ static inline int ip6_frag_mem(struct net *net) } #endif -#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */ -#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */ +#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */ +#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */ #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */ extern int __ipv6_addr_type(const struct in6_addr *addr); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 04c7e4618..989201a3b 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -831,22 +831,14 @@ static inline void ip4_frags_ctl_register(void) static int __net_init ipv4_frags_init_net(struct net *net) { - /* Fragment cache limits. - * - * The fragment memory accounting code, (tries to) account for - * the real memory usage, by measuring both the size of frag - * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue)) - * and the SKB's truesize. - * - * A 64K fragment consumes 129736 bytes (44*2944)+200 - * (1500 truesize == 2944, sizeof(struct ipq) == 200) - * - * We will commit 4MB at one time. Should we cross that limit - * we will prune down to 3MB, making room for approx 8 big 64K - * fragments 8x128k. + /* + * Fragment cache limits. We will commit 256K at one time. Should we + * cross that limit we will prune down to 192K. This should cope with + * even the most extreme cases without allowing an attacker to + * measurably harm machine performance. */ - net->ipv4.frags.high_thresh = 4 * 1024 * 1024; - net->ipv4.frags.low_thresh = 3 * 1024 * 1024; + net->ipv4.frags.high_thresh = 256 * 1024; + net->ipv4.frags.low_thresh = 192 * 1024; /* * Important NOTE! Fragment queue must be destroyed before MSL expires. * RFC791 is wrong proposing to prolongate timer each fragment arrival |