| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Dec 2009 14:45:59 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: kapil dakhane <kdakhane@...il.com>, "David S. Miller" <davem@...emloft.net> CC: netdev@...r.kernel.org, netfilter@...r.kernel.org, Evgeniy Polyakov <zbr@...emap.net> Subject: [PATCH 0/2] tcp: Fix connect() races with timewait sockets Eric Dumazet a écrit : > [PATCH] tcp: Fix a connect() race with timewait sockets > > When we find a timewait connection in __inet_hash_connect() and reuse > it for a new connection request, we have a race window, releasing bind > list lock and reacquiring it in __inet_twsk_kill() to remove timewait > socket from list. > > Another thread might find the timewait socket we already chose, leading to > list corruption and crashes. > > Fix is to remove timewait socket from bind list before releasing the lock. I cooked two patches on top of net-next-2.6 to solve the two last race problems I am aware of. Kapil, if you want to test them, make sure you take last net-next-2.6 snapshot. First patch changes __inet_hash_nolisten() and __inet6_hash() to get a timewait parameter to be able to unhash it from ehash at same time the new socket is inserted into ehash. Second patch is a respin of the first patch I sent : It makes sure __inet_has_connect() cannot give same timewait socket to different threads. Thanks ! Reported-by: kapil dakhane <kdakhane@...il.com> Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists