Project

General

Profile

Actions
Copy link

Bug #439

open

tp_meter: potential overflow of dec_cwnd

Added by Sven Eckelmann 14 days ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Assignee:
Antonio Quartulli
Target version:
-
Start date:
06/04/2026
Due date:
% Done:

0%

Estimated time:

Description

batadv_tp_update_cwnd() might potentially overflow:

While mss is safely clamped to 16383 for the 32-bit dividend calculation, tp_vars->dec_cwnd is defined as a u16 in struct batadv_tp_vars:

net/batman-adv/types.h:struct batadv_tp_vars {
        ...
        u16 dec_cwnd;
        ...
};

If mss is 8192 or greater (such as when using jumbo frames with a 9000 byte MTU), mss << 3 evaluates to 65536 or higher.

Since a u16 maxes out at 65535, the comparison tp_vars->dec_cwnd < (mss << 3) will always evaluate to true.

Could this cause batadv_tp_update_cwnd() to continuously return early without ever incrementing cwnd, permanently stalling congestion window growth?

See: https://sashiko.dev/#/patchset/20260603072527.174487-1-sw@simonwunderlich.de?part=5

Actions
Copy link
 #1

Updated by Sven Eckelmann 14 days ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Sven Eckelmann 14 days ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF