aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIlpo Järvinen <ilpo.jarvinen@helsinki.fi>2007-11-14 18:47:18 -0500
committerDavid S. Miller <davem@davemloft.net>2007-11-14 18:47:18 -0500
commit96a2d41a3e495734b63bff4e5dd0112741b93b38 (patch)
tree4190a560eabaa8dd6a78c1bf2d43515605954874
parentfb93134dfc2a6e6fbedc7c270a31da03fce88db9 (diff)
[TCP]: Make sure write_queue_from does not begin with NULL ptr
NULL ptr can be returned from tcp_write_queue_head to cached_skb and then assigned to skb if packets_out was zero. Without this, system is vulnerable to a carefully crafted ACKs which obviously is remotely triggerable. Besides, there's very little that needs to be done in sacktag if there weren't any packets outstanding, just skipping the rest doesn't hurt. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/tcp_input.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 12ae9a68cdaa..3f126ece8eb5 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1269,6 +1269,9 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
1269 if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window)) 1269 if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
1270 return 0; 1270 return 0;
1271 1271
1272 if (!tp->packets_out)
1273 goto out;
1274
1272 /* SACK fastpath: 1275 /* SACK fastpath:
1273 * if the only SACK change is the increase of the end_seq of 1276 * if the only SACK change is the increase of the end_seq of
1274 * the first block then only apply that SACK block 1277 * the first block then only apply that SACK block
@@ -1515,6 +1518,8 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
1515 (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark))) 1518 (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
1516 tcp_update_reordering(sk, tp->fackets_out - reord, 0); 1519 tcp_update_reordering(sk, tp->fackets_out - reord, 0);
1517 1520
1521out:
1522
1518#if FASTRETRANS_DEBUG > 0 1523#if FASTRETRANS_DEBUG > 0
1519 BUG_TRAP((int)tp->sacked_out >= 0); 1524 BUG_TRAP((int)tp->sacked_out >= 0);
1520 BUG_TRAP((int)tp->lost_out >= 0); 1525 BUG_TRAP((int)tp->lost_out >= 0);