From c89c785b301ea90290190aceeb1da0c9b7d464b3 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 18 Jun 2019 20:38:33 +0100 Subject: added protection against sack in core sysctl --- core/conf/sysctl.conf | 3 +++ core/sysctl.html | 3 +++ 2 files changed, 6 insertions(+) diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 771112a..d50520e 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -39,6 +39,9 @@ net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 +#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. +net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 diff --git a/core/sysctl.html b/core/sysctl.html index afee463..550ae6d 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -62,6 +62,9 @@ net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 + #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. + net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 -- cgit 1.4.1-2-gfad0