From a827cf2fdb8366d447a5eaf2e1a331002a5943da Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Tue, 6 Aug 2019 15:26:14 +0000
Subject: [PATCH] Clamp tcp timer quantities to reasonable ranges.

Reported-by: syzbot+259675123340bf46a6de@syzkaller.appspotmail.com
---
 sys/netinet/tcp_input.c  |  4 ++--
 sys/netinet/tcp_subr.c   | 17 ++++++++++++-----
 sys/netinet/tcp_timer.h  |  6 ++++++
 sys/netinet/tcp_usrreq.c | 14 +++++++++-----
 4 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 8d8a3cc30466..503db78fc969 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -3379,7 +3379,7 @@ tcp_xmit_timer(struct tcpcb *tp, uint32_t rtt)
 		if (__predict_false(tcp_rttlocal) && tcp_msl_enable
 		    && tp->t_srtt > tcp_msl_remote_threshold
 		    && tp->t_msl  < tcp_msl_remote) {
-			tp->t_msl = tcp_msl_remote;
+			tp->t_msl = MIN(tcp_msl_remote, TCP_MAXMSL);
 		}
 	} else {
 		/*
@@ -3647,7 +3647,7 @@ syn_cache_timer(void *arg)
 	 * than the keep alive timer would allow, expire it.
 	 */
 	sc->sc_rxttot += sc->sc_rxtcur;
-	if (sc->sc_rxttot >= tcp_keepinit)
+	if (sc->sc_rxttot >= MIN(tcp_keepinit, TCP_TIMER_MAXTICKS))
 		goto dropit;
 
 	TCP_STATINC(TCP_STAT_SC_RETRANSMITTED);
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index a1d6b203a6dc..b0b338988a2e 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -948,11 +948,12 @@ tcp_tcpcb_template(void)
 	    TCPTV_MIN, TCPTV_REXMTMAX);
 
 	/* Keep Alive */
-	tp->t_keepinit = tcp_keepinit;
-	tp->t_keepidle = tcp_keepidle;
-	tp->t_keepintvl = tcp_keepintvl;
-	tp->t_keepcnt = tcp_keepcnt;
-	tp->t_maxidle = tp->t_keepcnt * tp->t_keepintvl;
+	tp->t_keepinit = MIN(tcp_keepinit, TCP_TIMER_MAXTICKS);
+	tp->t_keepidle = MIN(tcp_keepidle, TCP_TIMER_MAXTICKS);
+	tp->t_keepintvl = MIN(tcp_keepintvl, TCP_TIMER_MAXTICKS);
+	tp->t_keepcnt = MAX(1, MIN(tcp_keepcnt, TCP_TIMER_MAXTICKS));
+	tp->t_maxidle = tp->t_keepcnt * MIN(tp->t_keepintvl,
+	    TCP_TIMER_MAXTICKS/tp->t_keepcnt);
 
 	/* MSL */
 	tp->t_msl = TCPTV_MSL;
@@ -2012,6 +2013,9 @@ tcp_established(struct tcpcb *tp)
 		break;
 	}
 
+	/* Clamp to a reasonable range.  */
+	tp->t_msl = MIN(tp->t_msl, TCP_MAXMSL);
+
 #ifdef INET6
 	/* The !tp->t_inpcb lets the compiler know it can't be v4 *and* v6 */
 	while (!tp->t_inpcb && tp->t_in6pcb) {
@@ -2041,6 +2045,9 @@ tcp_established(struct tcpcb *tp)
 		tp->t_msl = tcp_msl_remote ? tcp_msl_remote : TCPTV_MSL;
 		break;
 	}
+
+	/* Clamp to a reasonable range.  */
+	tp->t_msl = MIN(tp->t_msl, TCP_MAXMSL);
 #endif
 
 	tp->t_state = TCPS_ESTABLISHED;
diff --git a/sys/netinet/tcp_timer.h b/sys/netinet/tcp_timer.h
index fd209cd93a3c..1d8baf85872f 100644
--- a/sys/netinet/tcp_timer.h
+++ b/sys/netinet/tcp_timer.h
@@ -165,6 +165,12 @@ const char *tcptimers[] =
 #define	TCP_TIMER_ISARMED(tp, timer)					\
 	callout_active(&(tp)->t_timer[(timer)])
 
+#define	TCP_TIMER_MAXTICKS						      \
+	(INT_MAX / (hz / PR_SLOWHZ))
+
+#define	TCP_MAXMSL							      \
+	(TCP_TIMER_MAXTICKS / 2)
+
 /*
  * Force a time value to be in a certain range.
  */
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 06e60a2b9582..c6c8ceedde02 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -209,7 +209,8 @@ tcp_getpcb(struct socket *so, struct inpcb **inp,
 static void
 change_keepalive(struct socket *so, struct tcpcb *tp)
 {
-	tp->t_maxidle = tp->t_keepcnt * tp->t_keepintvl;
+	tp->t_maxidle = tp->t_keepcnt * MIN(tp->t_keepintvl,
+	    TCP_TIMER_MAXTICKS / tp->t_keepcnt);
 	TCP_TIMER_DISARM(tp, TCPT_KEEP);
 	TCP_TIMER_DISARM(tp, TCPT_2MSL);
 
@@ -400,7 +401,7 @@ tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
 			error = sockopt_get(sopt, &ui, sizeof(ui));
 			if (error)
 				break;
-			if (ui > 0) {
+			if (ui > 0 && ui <= TCP_TIMER_MAXTICKS) {
 				tp->t_keepidle = ui;
 				change_keepalive(so, tp);
 			} else
@@ -411,7 +412,7 @@ tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
 			error = sockopt_get(sopt, &ui, sizeof(ui));
 			if (error)
 				break;
-			if (ui > 0) {
+			if (ui > 0 && ui <= TCP_TIMER_MAXTICKS) {
 				tp->t_keepintvl = ui;
 				change_keepalive(so, tp);
 			} else
@@ -422,7 +423,7 @@ tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
 			error = sockopt_get(sopt, &ui, sizeof(ui));
 			if (error)
 				break;
-			if (ui > 0) {
+			if (ui > 0 && ui <= TCP_TIMER_MAXTICKS) {
 				tp->t_keepcnt = ui;
 				change_keepalive(so, tp);
 			} else
@@ -433,7 +434,7 @@ tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
 			error = sockopt_get(sopt, &ui, sizeof(ui));
 			if (error)
 				break;
-			if (ui > 0) {
+			if (ui > 0 && ui <= TCP_TIMER_MAXTICKS) {
 				tp->t_keepinit = ui;
 				change_keepalive(so, tp);
 			} else
@@ -1961,6 +1962,9 @@ sysctl_tcp_keep(SYSCTLFN_ARGS)
 	if (error || newp == NULL)
 		return error;
 
+	if (!(tmp > 0 && tmp <= TCP_TIMER_MAXTICKS))
+		return EINVAL;
+
 	mutex_enter(softnet_lock);
 
 	*(u_int *)rnode->sysctl_data = tmp;