| Message ID | 20190215213621.183537-3-edumazet@google.com |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | tcp: fix possible crash in tcp_v4_err() | expand |
On Fri, Feb 15, 2019 at 4:36 PM Eric Dumazet <edumazet@google.com> wrote: > > ICMP handlers are not very often stressed, we should > make them more resilient to bugs that might surface in > the future. > > If there is no packet in retransmit queue, we should > avoid a NULL deref. > > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: soukjin bae <soukjin.bae@samsung.com> > --- > net/ipv4/tcp_ipv4.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) Acked-by: Neal Cardwell <ncardwell@google.com> Thanks! neal
On Fri, Feb 15, 2019 at 9:21 PM Neal Cardwell <ncardwell@google.com> wrote: > > On Fri, Feb 15, 2019 at 4:36 PM Eric Dumazet <edumazet@google.com> wrote: > > > > ICMP handlers are not very often stressed, we should > > make them more resilient to bugs that might surface in > > the future. > > > > If there is no packet in retransmit queue, we should > > avoid a NULL deref. > > > > Signed-off-by: Eric Dumazet <edumazet@google.com> > > Reported-by: soukjin bae <soukjin.bae@samsung.com> > > --- > > net/ipv4/tcp_ipv4.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Soheil Hassas Yeganeh <soheil@google.com> Thanks you for the fix, Eric! > > Thanks! > > neal
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index efc6fef692ffdca4dcdd3f4b87a837656dd66c8c..ec3cea9d68288244d8e03b655d06f91640c36ee7 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -536,12 +536,15 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info) if (sock_owned_by_user(sk)) break; + skb = tcp_rtx_queue_head(sk); + if (WARN_ON_ONCE(!skb)) + break; + icsk->icsk_backoff--; icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) : TCP_TIMEOUT_INIT; icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX); - skb = tcp_rtx_queue_head(sk); tcp_mstamp_refresh(tp); delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
ICMP handlers are not very often stressed, we should make them more resilient to bugs that might surface in the future. If there is no packet in retransmit queue, we should avoid a NULL deref. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: soukjin bae <soukjin.bae@samsung.com> --- net/ipv4/tcp_ipv4.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)