From patchwork Sat Apr 8 15:07:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 748604 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3w0fvN1hvsz9s7j for ; Sun, 9 Apr 2017 01:07:44 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="qJiAEsLQ"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752612AbdDHPHm (ORCPT ); Sat, 8 Apr 2017 11:07:42 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:35239 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752512AbdDHPHj (ORCPT ); Sat, 8 Apr 2017 11:07:39 -0400 Received: by mail-it0-f65.google.com with SMTP id y18so1537064itc.2 for ; Sat, 08 Apr 2017 08:07:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=H885AglV0HbHqATW+gUR+8k2KQOicB5KCWqF5qC2SzY=; b=qJiAEsLQXsdxeXm/3wP7ocQkMVarlRJN/P5N3E8+qDCFa4m3bqYb13m8N1srZVynt+ +AyeWir1JJoMDNZUPgjpa0N7IFtiV8PItJuDoOk7MUuVDEidOfOxk0jPiR2Cmx54pv1T 7TMOvFHR4vQ8pS25ssuBvErnhD3eVp8mmUsyFk2+XZIc5RdkoblRru+4CDjQBbyk/vhh hdxq//SaiVc5z1NQ8ux30/faHcTwl/X13UIX2Gz2HxVj75DQvvS4UwqSEs04xIoJ998t 5gx5DAPGEmBsh+ULGQomFuLWvKgUc9FrsCDrZAUGi1muRn7+KZAIVGPBhiE0ZVbnNSRw oNtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=H885AglV0HbHqATW+gUR+8k2KQOicB5KCWqF5qC2SzY=; b=cFyD1KgeNVVlGd+NhentW7AUge6YRDOYffVevUow0pybiGhHhmr3ymecYLNiPzihBZ uUKPidnqquyCgXtoVF1ACo6M6cuB4sV7kTWwCNmkYbbtfUuvfPzCcjg7C09YcTf6vhV6 hL6Vk+gWW8hI/PbSmiQZ1C7TP6t/ZYABhlIDG63YNdddbdIyxPZgSwuGn/M3uksnR/km rOeOsfrJ+MXb/C1BWUG/ztKrFpibHJ/sKkJZgW4eqLNpjVOgTYzkkJ17XG8XLgB4VMIA Qsj+XXeP7G85jd/gfEKUKYBOTAFouyYL6CWQ5BvNlBOJL2fG2/yrXFC1q8o3//ofMDtc ZE6g== X-Gm-Message-State: AN3rC/4LC/VefFrrEcwUm4ntN2i58hY+ymzWr87Dz3FMeCT3VFkh+VEtwm836Oyms/teZg== X-Received: by 10.36.17.211 with SMTP id 202mr4447486itf.98.1491664058812; Sat, 08 Apr 2017 08:07:38 -0700 (PDT) Received: from [172.17.58.95] ([66.171.166.114]) by smtp.googlemail.com with ESMTPSA id j4sm1069813ita.1.2017.04.08.08.07.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Apr 2017 08:07:35 -0700 (PDT) Message-ID: <1491664053.10124.92.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] tcp: clear saved_syn in tcp_disconnect() From: Eric Dumazet To: David Miller Cc: netdev Date: Sat, 08 Apr 2017 08:07:33 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet In the (very unlikely) case a passive socket becomes a listener, we do not want to duplicate its saved SYN headers. This would lead to double frees, use after free, and please hackers and various fuzzers Tested: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0 +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 5) = 0 +0 < S 0:0(0) win 32972 +0 > S. 0:0(0) ack 1 <...> +.1 < . 1:1(0) ack 1 win 257 +0 accept(3, ..., ...) = 4 +0 connect(4, AF_UNSPEC, ...) = 0 +0 close(3) = 0 +0 bind(4, ..., ...) = 0 +0 listen(4, 5) = 0 +0 < S 0:0(0) win 32972 +0 > S. 0:0(0) ack 1 <...> +.1 < . 1:1(0) ack 1 win 257 Fixes: cd8ae85299d5 ("tcp: provide SYN headers for passive connections") Signed-off-by: Eric Dumazet --- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 94f0b5b50e0d728c3edab175aee9d769cd80907f..04843ae77b9ecacb3e4f2e81096f11d35ae1915e 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2322,6 +2322,7 @@ int tcp_disconnect(struct sock *sk, int flags) tcp_init_send_head(sk); memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); __sk_dst_reset(sk); + tcp_saved_syn_free(tp); /* Clean up fastopen related fields */ tcp_free_fastopen_req(tp);