| Message ID | 1bce4074c1b2db217fa206c122902cef54e22280.1354674154.git.wpan@redhat.com |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 4327deb..e9d82e0 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2512,8 +2512,12 @@ void tcp_close(struct sock *sk, long timeout) * reader process may not have drained the data yet! */ while ((skb = __skb_dequeue(&sk->sk_receive_queue)) != NULL) { - u32 len = TCP_SKB_CB(skb)->end_seq - TCP_SKB_CB(skb)->seq - + u32 len; + if (tcp_hdr(skb)) + len = TCP_SKB_CB(skb)->end_seq - TCP_SKB_CB(skb)->seq - tcp_hdr(skb)->fin; + else + len = TCP_SKB_CB(skb)->end_seq - TCP_SKB_CB(skb)->seq; data_was_unread += len; __kfree_skb(skb); }
For tcp friends data skb, it has no tcp header, and its transport_header is NULL, so it will panic if we deference tcp_hdr(skb) in tcp_close(). So I add a check before we use tcp_hdr(). Signed-off-by: Weiping Pan <wpan@redhat.com> --- net/ipv4/tcp.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-)