diff options
author | Bhasker Hariharan <bhaskerh@google.com> | 2020-07-27 15:12:36 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-07-27 15:14:34 -0700 |
commit | ca6bded95dbce07f9683904b4b768dfc2d4a09b2 (patch) | |
tree | 374f9b25e61e203099d25237617f985546e10712 /pkg/sentry/BUILD | |
parent | 9a4ad9d5e74ae06040b115026ef8ef6421d5a7b1 (diff) |
Fix memory accounting in TCP pending segment queue.
TCP now tracks the overhead of the segment structure itself in it's out-of-order
queue (pending). This is required to ensure that a malicious sender sending 1
byte out-of-order segments cannot queue like 1000's of segments which bloat up
memory usage.
We also reduce the default receive window to 32KB. With TCP moderation there is
no need to keep this window at 1MB which means that for new connections the
default out-of-order queue will be small unless the application actually reads
the data that is being sent. This prevents a sender from just maliciously
filling up pending buf with lots of tiny out-of-order segments.
PiperOrigin-RevId: 323450913
Diffstat (limited to 'pkg/sentry/BUILD')
0 files changed, 0 insertions, 0 deletions