[PATCH net] tcp: fix possible NULL dereference in tcp_vX_send

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] tcp: fix possible NULL dereference in tcp_vX_send_reset()
@ 2014-11-25 15:40 Eric Dumazet
  2014-11-26 17:09 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2014-11-25 15:40 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, Daniel Borkmann, Jaša Bartelj

From: Eric Dumazet <edumazet@google.com>

After commit ca777eff51f7 ("tcp: remove dst refcount false sharing for
prequeue mode") we have to relax check against skb dst in
tcp_v[46]_send_reset() if prequeue dropped the dst.

If a socket is provided, a full lookup was done to find this socket,
so the dst test can be skipped.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88191
Reported-by: Jaša Bartelj <jasa.bartelj@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Daniel Borkmann <dborkman@redhat.com>
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
---
 net/ipv4/tcp_ipv4.c |    5 ++++-
 net/ipv6/tcp_ipv6.c |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 9c7d7621466b..147be2024290 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -598,7 +598,10 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
 	if (th->rst)
 		return;
 
-	if (skb_rtable(skb)->rt_type != RTN_LOCAL)
+	/* If sk not NULL, it means we did a successful lookup and incoming
+	 * route had to be correct. prequeue might have dropped our dst.
+	 */
+	if (!sk && skb_rtable(skb)->rt_type != RTN_LOCAL)
 		return;
 
 	/* Swap the send and the receive. */
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index ace29b60813c..dc495ae2ead0 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -903,7 +903,10 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
 	if (th->rst)
 		return;
 
-	if (!ipv6_unicast_destination(skb))
+	/* If sk not NULL, it means we did a successful lookup and incoming
+	 * route had to be correct. prequeue might have dropped our dst.
+	 */
+	if (!sk && !ipv6_unicast_destination(skb))
 		return;
 
 #ifdef CONFIG_TCP_MD5SIG

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] tcp: fix possible NULL dereference in tcp_vX_send_reset()
  2014-11-25 15:40 [PATCH net] tcp: fix possible NULL dereference in tcp_vX_send_reset() Eric Dumazet
@ 2014-11-26 17:09 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2014-11-26 17:09 UTC (permalink / raw)
  To: eric.dumazet; +Cc: netdev, dborkman, jasa.bartelj

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 25 Nov 2014 07:40:04 -0800

> From: Eric Dumazet <edumazet@google.com>
> 
> After commit ca777eff51f7 ("tcp: remove dst refcount false sharing for
> prequeue mode") we have to relax check against skb dst in
> tcp_v[46]_send_reset() if prequeue dropped the dst.
> 
> If a socket is provided, a full lookup was done to find this socket,
> so the dst test can be skipped.
> 
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88191
> Reported-by: Jaša Bartelj <jasa.bartelj@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Daniel Borkmann <dborkman@redhat.com>
> Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")

Applied, thanks Eric.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-11-26 17:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-25 15:40 [PATCH net] tcp: fix possible NULL dereference in tcp_vX_send_reset() Eric Dumazet
2014-11-26 17:09 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).