From 8fa55d03bd7bd0d0afc7c09b2d052ec6f957b2e0 Mon Sep 17 00:00:00 2001
From: Jesper Dangaard Brouer <brouer@redhat.com>
Date: Tue, 18 Dec 2012 22:59:03 -0800
Subject: [PATCH] Divide by zero in TCP congestion control Algorithm.

Orabug: 16020656
Bug-db: 14798
CVE: CVE-2012-4565
The TCP Illinois congestion control algorithm does not correctly handle a
zero number of RTTs when reading TCP stats, leading to a divide-by-zero
and kernel panic. A remote attacker could potentially use this flaw to
cause a remote denial of service.

Cc: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: Guangyu Sun <guangyu.sun@oracle.com>
---
 net/ipv4/tcp_illinois.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 813b43a76fec..834857f3c871 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
 			.tcpv_rttcnt = ca->cnt_rtt,
 			.tcpv_minrtt = ca->base_rtt,
 		};
-		u64 t = ca->sum_rtt;
 
-		do_div(t, ca->cnt_rtt);
-		info.tcpv_rtt = t;
+		if (info.tcpv_rttcnt > 0) {
+			u64 t = ca->sum_rtt;
 
+			do_div(t, info.tcpv_rttcnt);
+			info.tcpv_rtt = t;
+		}
 		nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
 	}
 }
-- 
2.50.1