* [PATCH 2.4] sock_put() on a TIMEWAIT socket
@ 2004-03-29 2:03 Nivedita Singhvi
0 siblings, 0 replies; only message in thread
From: Nivedita Singhvi @ 2004-03-29 2:03 UTC (permalink / raw)
To: David Miller; +Cc: netdev
Dave,
Caught an instance of sock_put() being used instead of
tcp_tw_put().
If the refcnt goes to 0, tcp_tw_put() will release a
tcp_tw_bucket back into the tcp timewait cache, whereas
the sock_put() decrement will release a sock struct back
into the sk cache. Not sure how the slab caches handle
this, but tw is a smaller structure and the next caller
who gets this tw pointer thinking it's a sock could
potentially write past memory that it should (?).
Patch applies to 2.4.25.
thanks,
Nivedita
diff -urN linux-2.4.25/net/ipv4/tcp_ipv4.c linux-2.4.25mc/net/ipv4/tcp_ipv4.c
--- linux-2.4.25/net/ipv4/tcp_ipv4.c 2003-11-28 10:26:21.000000000 -0800
+++ linux-2.4.25mc/net/ipv4/tcp_ipv4.c 2004-03-28 16:35:01.000000000 -0800
@@ -1804,7 +1804,8 @@
do_time_wait:
if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
TCP_INC_STATS_BH(TcpInErrs);
- goto discard_and_relse;
+ tcp_tw_put((struct tcp_tw_bucket *) sk);
+ goto discard_it;
}
switch(tcp_timewait_state_process((struct tcp_tw_bucket *)sk,
skb, th, skb->len)) {
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-03-29 2:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-29 2:03 [PATCH 2.4] sock_put() on a TIMEWAIT socket Nivedita Singhvi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.