iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
097994b3d14b3fb320e30b8359ac254e86d9c6d9
linux/net/ipv4
History
Eric Dumazet 78c4e3d484 tcp: clear saved_syn in tcp_disconnect() 
[ Upstream commit 17c3060b17 ]

In the (very unlikely) case a passive socket becomes a listener,
we do not want to duplicate its saved SYN headers.

This would lead to double frees, use after free, and please hackers and
various fuzzers

Tested:
    0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
   +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0

   +0 bind(3, ..., ...) = 0
   +0 listen(3, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257
   +0 accept(3, ..., ...) = 4

   +0 connect(4, AF_UNSPEC, ...) = 0
   +0 close(3) = 0
   +0 bind(4, ..., ...) = 0
   +0 listen(4, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257

Fixes: cd8ae85299 ("tcp: provide SYN headers for passive connections")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-05-02 21:19:53 -07:00
..
netfilter
netfilter: x_tables: introduce and use xt_copy_counters_from_user
2016-06-24 10:18:24 -07:00
af_inet.c
net: add recursion limit to GRO
2016-11-15 07:46:38 +01:00
ah4.c
ah4: Fix error return in ah_input().
2015-08-25 13:38:50 -07:00
arp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-20 06:08:27 -07:00
cipso_ipv4.c
netlabel: out of bound access in cipso_v4_validate()
2017-02-18 16:39:26 +01:00
datagram.c
net: Set sk_txhash from a random number
2015-07-29 22:44:04 -07:00
devinet.c
ipv4: Don't do expensive useless work during inetdev destroy.
2016-04-20 15:42:03 +09:00
esp4.c
esp4: Fix integrity verification when ESN are used
2016-12-10 19:07:26 +01:00
fib_frontend.c
ipv4: provide stronger user input validation in nl_fib_input()
2017-03-30 09:35:14 +02:00
fib_lookup.h
ipv4: consider TOS in fib_select_default
2015-07-24 22:46:11 -07:00
fib_rules.c
net: ipv6: use common fib_default_rule_pref
2015-09-09 14:19:50 -07:00
fib_semantics.c
net: lwtunnel: Handle lwtunnel_fill_encap failure
2017-02-04 09:45:08 +01:00
fib_trie.c
fib_trie: Correct /proc/net/route off by one error
2016-11-21 10:06:40 +01:00
fou.c
net: add recursion limit to GRO
2016-11-15 07:46:38 +01:00
gre_demux.c
gre: Remove support for sharing GRE protocol hook.
2015-08-10 14:03:54 -07:00
gre_offload.c
net: add recursion limit to GRO
2016-11-15 07:46:38 +01:00
icmp.c
Revert "ipv4/icmp: redirect messages can use the ingress daddr as source"
2015-10-14 06:01:07 -07:00
igmp.c
igmp: Make igmp group member RFC 3376 compliant
2017-01-15 13:41:35 +01:00
inet_connection_sock.c
tcp/dccp: fix another race at listener dismantle
2016-03-03 15:07:07 -08:00
inet_diag.c
tcp/dccp: install syn_recv requests into ehash table
2015-10-03 04:32:41 -07:00
inet_fragment.c
net: fix percpu memory leaks
2015-11-02 22:47:14 -05:00
inet_hashtables.c
tcp/dccp: fix hashdance race for passive sessions
2015-10-23 05:42:21 -07:00
inet_lro.c
inet_timewait_sock.c
tcp/dccp: fix timewait races in timer handling
2015-09-21 16:32:29 -07:00
inetpeer.c
net: Add helper function to compare inetpeer addresses
2015-08-28 13:32:36 -07:00
ip_forward.c
net: Pass net into dst_output and remove dst_output_okfn
2015-10-08 04:26:54 -07:00
ip_fragment.c
inet: frag: Always orphan skbs inside ip_defrag()
2016-03-03 15:07:04 -08:00
ip_gre.c
vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
2016-06-24 10:18:18 -07:00
ip_input.c
ipv4: Pass struct net into ip_defrag and ip_check_defrag
2015-10-12 19:44:16 -07:00
ip_options.c
ipv4: coding style: comparison for inequality with NULL
2015-04-03 12:11:15 -04:00
ip_output.c
ipv4: Set skb->protocol properly for local output
2016-12-10 19:07:26 +01:00
ip_sockglue.c
ip: fix IP_CHECKSUM handling
2017-02-26 11:07:50 +01:00
ip_tunnel_core.c
tunnels: Remove encapsulation offloads on decap.
2016-10-31 04:13:59 -06:00
ip_tunnel.c
vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
2016-06-24 10:18:18 -07:00
ip_vti.c
vti: flush x-netns xfrm cache when vti interface is removed
2016-09-30 10:18:36 +02:00
ipcomp.c
ipv4: coding style: comparison for equality with NULL
2015-04-03 12:11:15 -04:00
ipconfig.c
ipconfig: send Client-identifier in DHCP requests
2015-10-18 19:23:52 -07:00
ipip.c
ipip: ioctl: Remove superfluous IP-TTL handling.
2015-12-18 16:07:59 -05:00
ipmr.c
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
2016-11-15 07:46:37 +01:00
Kconfig
geneve: Consolidate Geneve functionality in single module.
2015-08-27 15:42:48 -07:00
Makefile
tcp: track the packet timings in RACK
2015-10-21 07:00:48 -07:00
netfilter.c
ipv4: Pass struct net into ip_route_me_harder
2015-09-29 20:21:32 +02:00
ping.c
ping: implement proper locking
2017-04-30 05:49:29 +02:00
proc.c
net: track success and failure of TCP PMTU probing
2015-07-21 22:36:33 -07:00
protocol.c
net: Export inet_offloads and inet6_offloads
2014-09-19 17:15:31 -04:00
raw.c
ipv4: fix memory leaks in ip_cmsg_send() callers
2016-03-03 15:07:06 -08:00
route.c
net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
2017-05-02 21:19:52 -07:00
syncookies.c
tcp/dccp: fix hashdance race for passive sessions
2015-10-23 05:42:21 -07:00
sysctl_net_ipv4.c
ipv4: use the right lock for ping_group_range
2016-11-15 07:46:38 +01:00
tcp_bic.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_cdg.c
tcp: do not slow start when cwnd equals ssthresh
2015-07-09 14:22:52 -07:00
tcp_cong.c
tcp: remove tcp_ecn_make_synack() socket argument
2015-09-25 13:00:38 -07:00
tcp_cubic.c
tcp_cubic: do not set epoch_start in the future
2015-09-17 22:35:07 -07:00
tcp_dctcp.c
dctcp: avoid bogus doubling of cwnd after loss
2016-11-21 10:06:39 +01:00
tcp_diag.c
tcp: ensure proper barriers in lockless contexts
2015-11-15 18:36:38 -05:00
tcp_fastopen.c
tcp: initialize max window for a new fastopen socket
2017-02-04 09:45:09 +01:00
tcp_highspeed.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_htcp.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_hybla.c
tcp: do not slow start when cwnd equals ssthresh
2015-07-09 14:22:52 -07:00
tcp_illinois.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_input.c
tcp: initialize icsk_ack.lrcvtime at session start time
2017-03-30 09:35:14 +02:00
tcp_ipv4.c
dccp/tcp: fix routing redirect race
2017-03-22 12:04:17 +01:00
tcp_lp.c
tcp_memcontrol.c
memcg: cleanup static keys decrement
2015-02-12 18:54:10 -08:00
tcp_metrics.c
tcp: convert cached rtt from usec to jiffies when feeding initial rto
2016-04-20 15:41:56 +09:00
tcp_minisocks.c
tcp: initialize icsk_ack.lrcvtime at session start time
2017-03-30 09:35:14 +02:00
tcp_offload.c
tcp: reserve tcp_skb_mss() to tcp stack
2015-06-11 16:33:10 -07:00
tcp_output.c
tcp: fix 0 divide in __tcp_select_window()
2017-02-18 16:39:26 +01:00
tcp_probe.c
tcp: whitespace fixes
2014-09-01 18:12:45 -07:00
tcp_recovery.c
tcp: use RACK to detect losses
2015-10-21 07:00:53 -07:00
tcp_scalable.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_timer.c
tcp: fix various issues for sockets morphing to listen state
2017-03-22 12:04:15 +01:00
tcp_vegas.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_vegas.h
tcp: prepare CC get_info() access from getsockopt()
2015-04-29 17:10:38 -04:00
tcp_veno.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_westwood.c
tcp_westwood: fix tcp_westwood_info()
2015-05-05 19:50:09 -04:00
tcp_yeah.c
tcp: cwnd does not increase in TCP YeAH
2016-09-30 10:18:34 +02:00
tcp.c
tcp: clear saved_syn in tcp_disconnect()
2017-05-02 21:19:53 -07:00
tunnel4.c
udp_diag.c
sock_diag: specify info_size per inet protocol
2015-06-15 19:49:22 -07:00
udp_impl.h
net: Remove iocb argument from sendmsg and recvmsg
2015-03-02 13:06:31 -05:00
udp_offload.c
net: add recursion limit to GRO
2016-11-15 07:46:38 +01:00
udp_tunnel.c
tunnel: Clear IPCB(skb)->opt before dst_link_failure called
2016-04-20 15:41:56 +09:00
udp.c
udp: fix IP_CHECKSUM handling
2016-11-15 07:46:39 +01:00
udplite.c
xfrm4_input.c
netfilter: Pass net into okfn
2015-09-17 17:18:37 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
ipv4: hash net ptr into fragmentation bucket selection
2015-03-25 14:07:04 -04:00
xfrm4_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-24 06:54:12 -07:00
xfrm4_policy.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2015-12-22 16:26:31 -05:00
xfrm4_protocol.c
xfrm4: Remove duplicate semicolon
2014-06-30 07:49:47 +02:00
xfrm4_state.c
xfrm4_tunnel.c