From c89c785b301ea90290190aceeb1da0c9b7d464b3 Mon Sep 17 00:00:00 2001
From: Silvino <silvino@bk.ru>
Date: Tue, 18 Jun 2019 20:38:33 +0100
Subject: added protection against sack in core sysctl

---
 core/sysctl.html | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'core/sysctl.html')

diff --git a/core/sysctl.html b/core/sysctl.html
index afee463..550ae6d 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -62,6 +62,9 @@
         net.core.netdev_max_backlog = 5000
         net.ipv4.tcp_window_scaling = 1
 
+        #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
+        net.ipv4.tcp_sack = 0
+
         # Both ports linux-blob and linux-libre don't build with ipv6
         # Disable ipv6
         net.ipv6.conf.all.disable_ipv6 = 1
-- 
cgit 1.4.1-2-gfad0