github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
56cd2ed3e2
linux/net/ipv4
History
Eric Dumazet 78c4e3d484 tcp: clear saved_syn in tcp_disconnect() 
[ Upstream commit 17c3060b17 ]

In the (very unlikely) case a passive socket becomes a listener,
we do not want to duplicate its saved SYN headers.

This would lead to double frees, use after free, and please hackers and
various fuzzers

Tested:
    0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
   +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0

   +0 bind(3, ..., ...) = 0
   +0 listen(3, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257
   +0 accept(3, ..., ...) = 4

   +0 connect(4, AF_UNSPEC, ...) = 0
   +0 close(3) = 0
   +0 bind(4, ..., ...) = 0
   +0 listen(4, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257

Fixes: cd8ae85299 ("tcp: provide SYN headers for passive connections")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-05-02 21:19:53 -07:00
..
netfilter
af_inet.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
ah4.c
arp.c
cipso_ipv4.c netlabel: out of bound access in cipso_v4_validate() 2017-02-18 16:39:26 +01:00
datagram.c
devinet.c
esp4.c esp4: Fix integrity verification when ESN are used 2016-12-10 19:07:26 +01:00
fib_frontend.c ipv4: provide stronger user input validation in nl_fib_input() 2017-03-30 09:35:14 +02:00
fib_lookup.h
fib_rules.c
fib_semantics.c net: lwtunnel: Handle lwtunnel_fill_encap failure 2017-02-04 09:45:08 +01:00
fib_trie.c fib_trie: Correct /proc/net/route off by one error 2016-11-21 10:06:40 +01:00
fou.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
gre_demux.c
gre_offload.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
icmp.c
igmp.c igmp: Make igmp group member RFC 3376 compliant 2017-01-15 13:41:35 +01:00
inet_connection_sock.c
inet_diag.c
inet_fragment.c
inet_hashtables.c
inet_lro.c
inet_timewait_sock.c
inetpeer.c
ip_forward.c
ip_fragment.c
ip_gre.c
ip_input.c
ip_options.c
ip_output.c ipv4: Set skb->protocol properly for local output 2016-12-10 19:07:26 +01:00
ip_sockglue.c ip: fix IP_CHECKSUM handling 2017-02-26 11:07:50 +01:00
ip_tunnel_core.c tunnels: Remove encapsulation offloads on decap. 2016-10-31 04:13:59 -06:00
ip_tunnel.c
ip_vti.c
ipcomp.c
ipconfig.c
ipip.c
ipmr.c ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route 2016-11-15 07:46:37 +01:00
Kconfig
Makefile
netfilter.c
ping.c ping: implement proper locking 2017-04-30 05:49:29 +02:00
proc.c
protocol.c
raw.c
route.c net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given 2017-05-02 21:19:52 -07:00
syncookies.c
sysctl_net_ipv4.c ipv4: use the right lock for ping_group_range 2016-11-15 07:46:38 +01:00
tcp_bic.c
tcp_cdg.c
tcp_cong.c
tcp_cubic.c
tcp_dctcp.c dctcp: avoid bogus doubling of cwnd after loss 2016-11-21 10:06:39 +01:00
tcp_diag.c
tcp_fastopen.c tcp: initialize max window for a new fastopen socket 2017-02-04 09:45:09 +01:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: initialize icsk_ack.lrcvtime at session start time 2017-03-30 09:35:14 +02:00
tcp_ipv4.c dccp/tcp: fix routing redirect race 2017-03-22 12:04:17 +01:00
tcp_lp.c
tcp_memcontrol.c
tcp_metrics.c
tcp_minisocks.c tcp: initialize icsk_ack.lrcvtime at session start time 2017-03-30 09:35:14 +02:00
tcp_offload.c
tcp_output.c tcp: fix 0 divide in __tcp_select_window() 2017-02-18 16:39:26 +01:00
tcp_probe.c
tcp_recovery.c
tcp_scalable.c
tcp_timer.c tcp: fix various issues for sockets morphing to listen state 2017-03-22 12:04:15 +01:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c tcp: clear saved_syn in tcp_disconnect() 2017-05-02 21:19:53 -07:00
tunnel4.c
udp_diag.c
udp_impl.h
udp_offload.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
udp_tunnel.c
udp.c udp: fix IP_CHECKSUM handling 2016-11-15 07:46:39 +01:00
udplite.c
xfrm4_input.c
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c