diff options
author | Evgeniy Polyakov <johnpol@2ka.mipt.ru> | 2008-04-27 18:27:30 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-04-27 18:27:30 -0400 |
commit | 9ae27e0adbf471c7a6b80102e38e1d5a346b3b38 (patch) | |
tree | 54ef2bb504625e003a35dae8ebbeb4b755f52419 /net/ipv4/tcp_input.c | |
parent | dae50295488f35d2d617b08a5fae43154c947eec (diff) |
tcp: Fix slab corruption with ipv6 and tcp6fuzz
From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
This fixes a regression added by ec3c0982a2dd1e671bad8e9d26c28dcba0039d87
("[TCP]: TCP_DEFER_ACCEPT updates - process as established")
tcp_v6_do_rcv()->tcp_rcv_established(), the latter goes to step5, where
eventually skb can be freed via tcp_data_queue() (drop: label), then if
check for tcp_defer_accept_check() returns true and thus
tcp_rcv_established() returns -1, which forces tcp_v6_do_rcv() to jump
to reset: label, which in turn will pass through discard: label and free
the same skb again.
Tested by Eric Sesterhenn.
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-By: Patrick McManus <mcmanus@ducksong.com>
Diffstat (limited to 'net/ipv4/tcp_input.c')
-rw-r--r-- | net/ipv4/tcp_input.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ac9b8482f702..0298f80681f2 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c | |||
@@ -4925,8 +4925,7 @@ step5: | |||
4925 | tcp_data_snd_check(sk); | 4925 | tcp_data_snd_check(sk); |
4926 | tcp_ack_snd_check(sk); | 4926 | tcp_ack_snd_check(sk); |
4927 | 4927 | ||
4928 | if (tcp_defer_accept_check(sk)) | 4928 | tcp_defer_accept_check(sk); |
4929 | return -1; | ||
4930 | return 0; | 4929 | return 0; |
4931 | 4930 | ||
4932 | csum_error: | 4931 | csum_error: |