aboutsummaryrefslogtreecommitdiffstats
path: root/net/dccp
diff options
context:
space:
mode:
authorGerrit Renker <gerrit@erg.abdn.ac.uk>2008-08-19 00:14:20 -0400
committerDavid S. Miller <davem@davemloft.net>2008-08-19 00:14:20 -0400
commitd28934ad8a4e87203a95de9c376611de8bc2f013 (patch)
tree4ee2a055492d3c462101edd9945e199450497f30 /net/dccp
parent4d8863a29c4755a0461cd31b6865026187d6c43a (diff)
dccp: Fix panic caused by too early termination of retransmission mechanism
Thanks is due to Wei Yongjun for the detailed analysis and description of this bug at http://marc.info/?l=dccp&m=121739364909199&w=2 The problem is that invalid packets received by a client in state REQUEST cause the retransmission timer for the DCCP-Request to be reset. This includes freeing the Request-skb ( in dccp_rcv_request_sent_state_process() ). As a consequence, * the arrival of further packets cause a double-free, triggering a panic(), * the connection then may hang, since further retransmissions are blocked. This patch changes the order of statements so that the retransmission timer is reset, and the pending Request freed, only if a valid Response has arrived (or the number of sysctl-retries has been exhausted). Further changes: ---------------- To be on the safe side, replaced __kfree_skb with kfree_skb so that if due to unexpected circumstances the sk_send_head is NULL the WARN_ON is used instead. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dccp')
-rw-r--r--net/dccp/input.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/net/dccp/input.c b/net/dccp/input.c
index df2f110df94a..803933ab396d 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -411,12 +411,6 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk,
411 struct dccp_sock *dp = dccp_sk(sk); 411 struct dccp_sock *dp = dccp_sk(sk);
412 long tstamp = dccp_timestamp(); 412 long tstamp = dccp_timestamp();
413 413
414 /* Stop the REQUEST timer */
415 inet_csk_clear_xmit_timer(sk, ICSK_TIME_RETRANS);
416 WARN_ON(sk->sk_send_head == NULL);
417 __kfree_skb(sk->sk_send_head);
418 sk->sk_send_head = NULL;
419
420 if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, 414 if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq,
421 dp->dccps_awl, dp->dccps_awh)) { 415 dp->dccps_awl, dp->dccps_awh)) {
422 dccp_pr_debug("invalid ackno: S.AWL=%llu, " 416 dccp_pr_debug("invalid ackno: S.AWL=%llu, "
@@ -441,6 +435,12 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk,
441 DCCP_ACKVEC_STATE_RECEIVED)) 435 DCCP_ACKVEC_STATE_RECEIVED))
442 goto out_invalid_packet; /* FIXME: change error code */ 436 goto out_invalid_packet; /* FIXME: change error code */
443 437
438 /* Stop the REQUEST timer */
439 inet_csk_clear_xmit_timer(sk, ICSK_TIME_RETRANS);
440 WARN_ON(sk->sk_send_head == NULL);
441 kfree_skb(sk->sk_send_head);
442 sk->sk_send_head = NULL;
443
444 dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq; 444 dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq;
445 dccp_update_gsr(sk, dp->dccps_isr); 445 dccp_update_gsr(sk, dp->dccps_isr);
446 /* 446 /*