From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:57760 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1425299AbdD3OXV (ORCPT ); Sun, 30 Apr 2017 10:23:21 -0400 Subject: Patch "tcp: clear saved_syn in tcp_disconnect()" has been added to the 4.4-stable tree To: edumazet@google.com, davem@davemloft.net, gregkh@linuxfoundation.org Cc: , From: Date: Sun, 30 Apr 2017 16:11:41 +0200 Message-ID: <1493561501146138@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled tcp: clear saved_syn in tcp_disconnect() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tcp-clear-saved_syn-in-tcp_disconnect.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Sun Apr 30 15:46:17 CEST 2017 From: Eric Dumazet Date: Sat, 8 Apr 2017 08:07:33 -0700 Subject: tcp: clear saved_syn in tcp_disconnect() From: Eric Dumazet [ Upstream commit 17c3060b1701fc69daedb4c90be6325d3d9fca8e ] In the (very unlikely) case a passive socket becomes a listener, we do not want to duplicate its saved SYN headers. This would lead to double frees, use after free, and please hackers and various fuzzers Tested: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0 +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 5) = 0 +0 < S 0:0(0) win 32972 +0 > S. 0:0(0) ack 1 <...> +.1 < . 1:1(0) ack 1 win 257 +0 accept(3, ..., ...) = 4 +0 connect(4, AF_UNSPEC, ...) = 0 +0 close(3) = 0 +0 bind(4, ..., ...) = 0 +0 listen(4, 5) = 0 +0 < S 0:0(0) win 32972 +0 > S. 0:0(0) ack 1 <...> +.1 < . 1:1(0) ack 1 win 257 Fixes: cd8ae85299d5 ("tcp: provide SYN headers for passive connections") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2260,6 +2260,7 @@ int tcp_disconnect(struct sock *sk, int tcp_init_send_head(sk); memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); __sk_dst_reset(sk); + tcp_saved_syn_free(tp); WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); Patches currently in stable-queue which might be from edumazet@google.com are queue-4.4/tcp-clear-saved_syn-in-tcp_disconnect.patch queue-4.4/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch queue-4.4/net-packet-fix-overflow-in-check-for-tp_reserve.patch queue-4.4/net-neigh-guard-against-null-solicit-method.patch