linux/net
Wei Wang 7db92362d2 tcp: fix potential double free issue for fastopen_req
tp->fastopen_req could potentially be double freed if a malicious
user does the following:
1. Enable TCP_FASTOPEN_CONNECT sockopt and do a connect() on the socket.
2. Call connect() with AF_UNSPEC to disconnect the socket.
3. Make this socket a listening socket by calling listen().
4. Accept incoming connections and generate child sockets. All child
   sockets will get a copy of the pointer of fastopen_req.
5. Call close() on all sockets. fastopen_req will get freed multiple
   times.

Fixes: 19f6d3f3c8 ("net/tcp-fastopen: Add new API support")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-03-02 14:05:41 -08:00
..
6lowpan 6lowpan: use rb_entry() 2017-01-22 16:46:13 -05:00
9p
802 Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
8021q net: remove ndo_neigh_{construct, destroy} from stacked devices 2017-02-06 11:25:57 -05:00
appletalk lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
atm lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
ax25 ax25: Fix segfault after sock connection timeout 2017-01-16 14:39:58 -05:00
batman-adv Here are two batman-adv bugfixes: 2017-03-02 13:16:08 -08:00
bluetooth scripts/spelling.txt: add "an user" pattern and fix typo instances 2017-02-27 18:43:46 -08:00
bridge net: bridge: allow IPv6 when multicast flood is disabled 2017-03-01 20:55:57 -08:00
caif net: caif: Remove unused stats member from struct chnl_net 2017-01-19 11:45:21 -05:00
can can: bcm: fix hrtimer/tasklet termination in bcm op removal 2017-01-30 11:05:04 +01:00
ceph This time around we have: 2017-02-28 15:36:09 -08:00
core net: Introduce sk_clone_lock() error path routine 2017-03-02 13:19:33 -08:00
dcb net: dcb: set error code on failures 2016-12-03 23:54:25 -05:00
dccp net: Introduce sk_clone_lock() error path routine 2017-03-02 13:19:33 -08:00
decnet Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
dns_resolver
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-02-11 02:31:11 -05:00
ethernet Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
hsr net/hsr: use eth_hw_addr_random() 2017-02-21 13:25:22 -05:00
ieee802154 lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
ife net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
ipv4 tcp: fix potential double free issue for fastopen_req 2017-03-02 14:05:41 -08:00
ipv6 ipv6: check for ip6_null_entry in __ip6_del_rt_siblings() 2017-03-02 12:43:47 -08:00
ipx ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
irda lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
iucv net/af_iucv: don't use paged skbs for TX on HiperSockets 2017-01-10 21:08:29 -05:00
kcm kcm: fix a null pointer dereference in kcm_sendmsg() 2017-02-14 13:06:37 -05:00
key netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-02-28 10:00:39 -08:00
l3mdev
lapb Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
llc net/llc: avoid BUG_ON() in skb_orphan() 2017-02-12 22:14:49 -05:00
mac80211 First round of fixes - details in the commits: 2017-03-01 15:08:34 -08:00
mac802154 ktime: Cleanup ktime_set() usage 2016-12-25 17:21:22 +01:00
mpls net: mpls: Add support for netconf 2017-02-20 11:13:37 -05:00
ncsi
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-02-28 10:00:39 -08:00
netlabel netlabel: add CALIPSO to the list of built-in protocols 2017-01-06 22:20:45 -05:00
netlink net: adjust skb->truesize in pskb_expand_head() 2017-01-27 12:03:29 -05:00
netrom
nfc
openvswitch openvswitch: actions: fixed a brace coding style warning 2017-03-02 13:14:44 -08:00
packet net: don't call strlen() on the user buffer in packet_bind_spkt() 2017-03-01 20:55:57 -08:00
phonet netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
psample net: Introduce psample, a new genetlink channel for packet sampling 2017-01-24 13:44:28 -05:00
qrtr net: qrtr: Mark 'buf' as little endian 2017-01-10 20:45:04 -05:00
rds rds: ib: add the static type to the variables 2017-03-01 09:50:58 -08:00
rfkill rfkill: remove rfkill-regulator 2017-01-24 11:07:35 +01:00
rose Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
rxrpc rxrpc: Fix deadlock between call creation and sendmsg/recvmsg 2017-03-01 09:50:58 -08:00
sched net sched actions: do not overwrite status of action creation. 2017-02-26 21:31:32 -05:00
sctp sctp: call rcu_read_lock before checking for duplicate transport nodes 2017-03-01 09:50:58 -08:00
smc smc: some potential use after free bugs 2017-01-30 16:37:55 -05:00
strparser
sunrpc The nfsd update this round is mainly a lot of miscellaneous cleanups and 2017-02-28 15:39:09 -08:00
switchdev
tipc tipc: move premature initilalization of stack variables 2017-02-24 11:42:54 -05:00
unix unix: add ioctl to open a unix socket file with O_PATH 2017-02-02 21:58:02 -05:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-17 20:17:04 -08:00
wimax
wireless Some more updates: 2017-02-10 14:31:51 -05:00
x25 Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
xfrm xfrm: provide correct dst in xfrm_neigh_lookup 2017-02-26 21:35:24 -05:00
compat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-02-22 10:15:09 -08:00
Kconfig bpf: make jited programs visible in traces 2017-02-17 13:40:05 -05:00
Makefile net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
socket.c net: socket: fix recvmmsg not returning error from sock_error 2017-02-21 13:35:25 -05:00
sysctl_net.c