lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1321304216.2719.23.camel@edumazet-laptop>
Date:	Mon, 14 Nov 2011 21:56:56 +0100
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	David Miller <davem@...emloft.net>
Cc:	sim@...tway.ca, tglx@...utronix.de, netdev@...r.kernel.org,
	a.p.zijlstra@...llo.nl, linux-kernel@...r.kernel.org,
	davej@...hat.com, schwidefsky@...ibm.com, mingo@...e.hu
Subject: Re: [3.1] Divide by zero in __tcp_select_window()

Le lundi 14 novembre 2011 à 15:36 -0500, David Miller a écrit :
> From: Eric Dumazet <eric.dumazet@...il.com>
> Date: Tue, 08 Nov 2011 22:23:25 +0100
> 
> > OK, it seems we let a timer running while we free the socket (same error
> > path than your previous bug report, because of the NULL route)
> > 
> > We arm this keepalive timer in tcp_create_openreq_child()
> > 
> > net/ipv4/tcp_minisocks.c:513
> > 	if (sock_flag(newsk, SOCK_KEEPOPEN))
> > 		inet_csk_reset_keepalive_timer(newsk,
> > 			keepalive_time_when(newtp));
> > 
> > I would try to add a call to tcp_clear_xmit_timers() as well
> > 
> > Please try following patch :
> 
> We've been waiting quite some time to get some testing validation on
> this patch, but I think it's correct.
> 
> Eric can you formally submit this?  Thanks!

Sure, here it is.

Please Simon feel free to add your "Tested-by" signature 

Thanks

[PATCH] tcp: clear xmit timers in tcp_v4_syn_recv_sock()

Simon Kirby reported divides by zero errors in __tcp_select_window()

This happens when inet_csk_route_child_sock() returns a NULL pointer :

We free new socket while we eventually armed keepalive timer in
tcp_create_openreq_child()

Fix this by a call to tcp_clear_xmit_timers()

[ This is a followup to commit 918eb39962dff (net: add missing
bh_unlock_sock() calls) ]

Reported-by: Simon Kirby <sim@...tway.ca>
Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
---
 net/ipv4/tcp_ipv4.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a744315..a9db4b1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1510,6 +1510,7 @@ exit:
 	NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
 	return NULL;
 put_and_exit:
+	tcp_clear_xmit_timers(newsk);
 	bh_unlock_sock(newsk);
 	sock_put(newsk);
 	goto exit;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ