!10232 fix CVE-2024-41007 (f4f92ff0) · Commits · EulixOS / Software / Kernel

net/ipv4/tcp_timer.c

+23 −6

Original line number	Diff line number	Diff line
		@@ -440,17 +440,34 @@ static void tcp_fastopen_synack_timer(struct sock sk, struct request_sock req)
		static bool tcp_rtx_probe0_timed_out(const struct sock *sk,
		const struct sk_buff *skb)
		{
		const struct inet_connection_sock *icsk = inet_csk(sk);
		u32 user_timeout = READ_ONCE(icsk->icsk_user_timeout);
		const struct tcp_sock *tp = tcp_sk(sk);
		const int timeout = TCP_RTO_MAX * 2;
		u32 rcv_delta, rtx_delta;

		rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp;
		if (rcv_delta <= timeout)
		return false;
		int timeout = TCP_RTO_MAX * 2;
		u32 rtx_delta;
		s32 rcv_delta;

		rtx_delta = (u32)msecs_to_jiffies(tcp_time_stamp(tp) -
		(tp->retrans_stamp ?: tcp_skb_timestamp(skb)));

		if (user_timeout) {
		/* If user application specified a TCP_USER_TIMEOUT,
		* it does not want win 0 packets to 'reset the timer'
		* while retransmits are not making progress.
		*/
		if (rtx_delta > user_timeout)
		return true;
		timeout = min_t(u32, timeout, msecs_to_jiffies(user_timeout));
		}

		/* Note: timer interrupt might have been delayed by at least one jiffy,
		* and tp->rcv_tstamp might very well have been written recently.
		* rcv_delta can thus be negative.
		*/
		rcv_delta = icsk->icsk_timeout - tp->rcv_tstamp;
		if (rcv_delta <= timeout)
		return false;

		return rtx_delta > timeout;
		}