| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Mar 2010 15:45:13 -0500 From: "Steven J. Magnani" <steve@...idescorp.com> To: netdev@...r.kernel.org Cc: "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, "Pekka Savola (ipv6)" <pekkas@...core.fi>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Patrick McHardy <kaber@...sh.net>, linux-kernel@...r.kernel.org, monstr@...str.eu, Karl Hiramoto <karl@...amoto.org>, "Steven J. Magnani" <steve@...idescorp.com> Subject: [PATCH] net: Fix oops from tcp_collapse() when using splice() tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani <steve@...idescorp.com> --- diff -uprN a/net/ipv4/tcp.c b/net/ipv4/tcp.c --- a/net/ipv4/tcp.c 2010-03-30 15:25:55.000000000 -0500 +++ b/net/ipv4/tcp.c 2010-03-30 15:27:49.000000000 -0500 @@ -1335,6 +1335,7 @@ int tcp_read_sock(struct sock *sk, read_ sk_eat_skb(sk, skb, 0); if (!desc->count) break; + tp->copied_seq = seq; } tp->copied_seq = seq; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists