Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Sep 2017 19:20:54 +0300
From: Vasily Averin <>
Cc: Andrey Konovalov <>
Subject: CVE-2017-14106 kernel: net/ipv4: divide by 0 in __tcp_select_window()

[Suggested description]
The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows
local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) 
by triggering a disconnect within a certain tcp_recvmsg code path.

[VulnerabilityType Other]
CWE-369: Divide By Zero


Andrey Konovalov  <>

It was fixed in linux mainline 4.12-rc3

commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8
Author: Wei Wang <>
Date:   Thu May 18 11:22:33 2017 -0700

    tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
    When tcp_disconnect() is called, inet_csk_delack_init() sets
    icsk->icsk_ack.rcv_mss to 0.
    This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
    __tcp_select_window() call path to have division by 0 issue.
    So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
    Reported-by: Andrey Konovalov  <>
    Signed-off-by: Wei Wang <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: Neal Cardwell <>
    Signed-off-by: Yuchung Cheng <>
    Signed-off-by: David S. Miller <>

Thank you,
	Vasily Averin

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ