From 361808726f2f98c1b9ddc31a9b8acf7954cec760 Mon Sep 17 00:00:00 2001
From: Ayush Ranjan <ayushranjan@google.com>
Date: Tue, 15 Apr 2025 12:28:39 -0700
Subject: [PATCH] Fix overflow in tcp.sender.sendData() for 32-bit
 architectures.

Fixes #11632

PiperOrigin-RevId: 747977713
---
 pkg/tcpip/transport/tcp/snd.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/tcpip/transport/tcp/snd.go b/pkg/tcpip/transport/tcp/snd.go
index 5dccf81d1e..75f85129f7 100644
--- a/pkg/tcpip/transport/tcp/snd.go
+++ b/pkg/tcpip/transport/tcp/snd.go
@@ -1018,9 +1018,10 @@ func (s *sender) sendData() {
 
 	var dataSent bool
 	for seg := s.writeNext; seg != nil && s.Outstanding < s.SndCwnd; seg = seg.Next() {
-		cwndLimit := (s.SndCwnd - s.Outstanding) * s.MaxPayloadSize
-		if cwndLimit < limit {
-			limit = cwndLimit
+		// NOTE(gvisor.dev/issue/11632): Use uint64 to avoid overflow.
+		cwndLimit := uint64(s.SndCwnd-s.Outstanding) * uint64(s.MaxPayloadSize)
+		if cwndLimit < uint64(limit) {
+			limit = int(cwndLimit)
 		}
 		if s.isAssignedSequenceNumber(seg) && s.ep.SACKPermitted && s.ep.scoreboard.IsSACKED(seg.sackBlock()) {
 			// Move writeNext along so that we don't try and scan data that