diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-10-09 00:43:40 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-10-13 06:16:54 -0400 |
commit | 85584672012ee0c3b7b8e033a1ecf7c11878e45f (patch) | |
tree | f35b38f084453e2d7260d4a7a8d13f2a01641664 | |
parent | 9652041da18a1a1d9a0b7ebd9eef16bd712be38a (diff) |
udp: Fix udp_poll() and ioctl()
udp_poll() can in some circumstances drop frames with incorrect checksums.
Problem is we now have to lock the socket while dropping frames, or risk
sk_forward corruption.
This bug is present since commit 95766fff6b9a78d1
([UDP]: Add memory accounting.)
While we are at it, we can correct ioctl(SIOCINQ) to also drop bad frames.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/udp.c | 73 |
1 files changed, 43 insertions, 30 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 6ec6a8a4a22..d0d436d6216 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
@@ -841,6 +841,42 @@ out: | |||
841 | return ret; | 841 | return ret; |
842 | } | 842 | } |
843 | 843 | ||
844 | |||
845 | /** | ||
846 | * first_packet_length - return length of first packet in receive queue | ||
847 | * @sk: socket | ||
848 | * | ||
849 | * Drops all bad checksum frames, until a valid one is found. | ||
850 | * Returns the length of found skb, or 0 if none is found. | ||
851 | */ | ||
852 | static unsigned int first_packet_length(struct sock *sk) | ||
853 | { | ||
854 | struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue; | ||
855 | struct sk_buff *skb; | ||
856 | unsigned int res; | ||
857 | |||
858 | __skb_queue_head_init(&list_kill); | ||
859 | |||
860 | spin_lock_bh(&rcvq->lock); | ||
861 | while ((skb = skb_peek(rcvq)) != NULL && | ||
862 | udp_lib_checksum_complete(skb)) { | ||
863 | UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, | ||
864 | IS_UDPLITE(sk)); | ||
865 | __skb_unlink(skb, rcvq); | ||
866 | __skb_queue_tail(&list_kill, skb); | ||
867 | } | ||
868 | res = skb ? skb->len : 0; | ||
869 | spin_unlock_bh(&rcvq->lock); | ||
870 | |||
871 | if (!skb_queue_empty(&list_kill)) { | ||
872 | lock_sock(sk); | ||
873 | __skb_queue_purge(&list_kill); | ||
874 | sk_mem_reclaim_partial(sk); | ||
875 | release_sock(sk); | ||
876 | } | ||
877 | return res; | ||
878 | } | ||
879 | |||
844 | /* | 880 | /* |
845 | * IOCTL requests applicable to the UDP protocol | 881 | * IOCTL requests applicable to the UDP protocol |
846 | */ | 882 | */ |
@@ -857,21 +893,16 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg) | |||
857 | 893 | ||
858 | case SIOCINQ: | 894 | case SIOCINQ: |
859 | { | 895 | { |
860 | struct sk_buff *skb; | 896 | unsigned int amount = first_packet_length(sk); |
861 | unsigned long amount; | ||
862 | 897 | ||
863 | amount = 0; | 898 | if (amount) |
864 | spin_lock_bh(&sk->sk_receive_queue.lock); | ||
865 | skb = skb_peek(&sk->sk_receive_queue); | ||
866 | if (skb != NULL) { | ||
867 | /* | 899 | /* |
868 | * We will only return the amount | 900 | * We will only return the amount |
869 | * of this packet since that is all | 901 | * of this packet since that is all |
870 | * that will be read. | 902 | * that will be read. |
871 | */ | 903 | */ |
872 | amount = skb->len - sizeof(struct udphdr); | 904 | amount -= sizeof(struct udphdr); |
873 | } | 905 | |
874 | spin_unlock_bh(&sk->sk_receive_queue.lock); | ||
875 | return put_user(amount, (int __user *)arg); | 906 | return put_user(amount, (int __user *)arg); |
876 | } | 907 | } |
877 | 908 | ||
@@ -1540,29 +1571,11 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait) | |||
1540 | { | 1571 | { |
1541 | unsigned int mask = datagram_poll(file, sock, wait); | 1572 | unsigned int mask = datagram_poll(file, sock, wait); |
1542 | struct sock *sk = sock->sk; | 1573 | struct sock *sk = sock->sk; |
1543 | int is_lite = IS_UDPLITE(sk); | ||
1544 | 1574 | ||
1545 | /* Check for false positives due to checksum errors */ | 1575 | /* Check for false positives due to checksum errors */ |
1546 | if ((mask & POLLRDNORM) && | 1576 | if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) && |
1547 | !(file->f_flags & O_NONBLOCK) && | 1577 | !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk)) |
1548 | !(sk->sk_shutdown & RCV_SHUTDOWN)) { | 1578 | mask &= ~(POLLIN | POLLRDNORM); |
1549 | struct sk_buff_head *rcvq = &sk->sk_receive_queue; | ||
1550 | struct sk_buff *skb; | ||
1551 | |||
1552 | spin_lock_bh(&rcvq->lock); | ||
1553 | while ((skb = skb_peek(rcvq)) != NULL && | ||
1554 | udp_lib_checksum_complete(skb)) { | ||
1555 | UDP_INC_STATS_BH(sock_net(sk), | ||
1556 | UDP_MIB_INERRORS, is_lite); | ||
1557 | __skb_unlink(skb, rcvq); | ||
1558 | kfree_skb(skb); | ||
1559 | } | ||
1560 | spin_unlock_bh(&rcvq->lock); | ||
1561 | |||
1562 | /* nothing to see, move along */ | ||
1563 | if (skb == NULL) | ||
1564 | mask &= ~(POLLIN | POLLRDNORM); | ||
1565 | } | ||
1566 | 1579 | ||
1567 | return mask; | 1580 | return mask; |
1568 | 1581 | ||