github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

Fix NULL pointer dereference in tcp_nuke_addr.

Browse Source 
tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.

Bug: 23663111
Bug: 24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit 74d66ee756afcc3269e4c1341f793c52be629af9)
This commit is contained in:
Lorenzo Colitti 2015-09-15 00:14:23 +09:00 committed by Huang, Tao
parent 0f5728d8fa
commit abe081915c
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
net/ipv4/tcp.c
View File

@ -3568,14 +3568,17 @@ int tcp_nuke_addr(struct net *net, struct sockaddr *addr)
sock_hold(sk);
spin_unlock_bh(lock);
lock_sock(sk);
// TODO:
// Check for SOCK_DEAD again, it could have changed.
// Add a write barrier, see tcp_reset().
local_bh_disable();
bh_lock_sock(sk);
sk->sk_err = ETIMEDOUT;
sk->sk_error_report(sk);
tcp_done(sk);
bh_unlock_sock(sk);
local_bh_enable();
release_sock(sk);
sock_put(sk);
goto restart;