diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-08-10 18:07:34 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-08-11 00:17:45 -0400 |
| commit | 3257d8b12f954c462d29de6201664a846328a522 (patch) | |
| tree | 95c8d45df7f0a2919a0c7bd363dc94a57dcddf05 /net/ipv4/tcp_ipv4.c | |
| parent | 2235f2ac75fd2501c251b0b699a9632e80239a6d (diff) | |
inet: fix possible request socket leak
In commit b357a364c57c9 ("inet: fix possible panic in
reqsk_queue_unlink()"), I missed fact that tcp_check_req()
can return the listener socket in one case, and that we must
release the request socket refcount or we leak it.
Tested:
Following packetdrill test template shows the issue
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
+.002 < . 1:1(0) ack 21 win 2920
+0 > R 21:21(0)
Fixes: b357a364c57c9 ("inet: fix possible panic in reqsk_queue_unlink()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_ipv4.c')
| -rw-r--r-- | net/ipv4/tcp_ipv4.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index d7d4c2b79cf2..0ea2e1c5d395 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
| @@ -1348,7 +1348,7 @@ static struct sock *tcp_v4_hnd_req(struct sock *sk, struct sk_buff *skb) | |||
| 1348 | req = inet_csk_search_req(sk, th->source, iph->saddr, iph->daddr); | 1348 | req = inet_csk_search_req(sk, th->source, iph->saddr, iph->daddr); |
| 1349 | if (req) { | 1349 | if (req) { |
| 1350 | nsk = tcp_check_req(sk, skb, req, false); | 1350 | nsk = tcp_check_req(sk, skb, req, false); |
| 1351 | if (!nsk) | 1351 | if (!nsk || nsk == sk) |
| 1352 | reqsk_put(req); | 1352 | reqsk_put(req); |
| 1353 | return nsk; | 1353 | return nsk; |
| 1354 | } | 1354 | } |