Message ID | 1491664053.10124.92.camel@edumazet-glaptop3.roam.corp.google.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Sat, 08 Apr 2017 08:07:33 -0700 > From: Eric Dumazet <edumazet@google.com> > > In the (very unlikely) case a passive socket becomes a listener, > we do not want to duplicate its saved SYN headers. > > This would lead to double frees, use after free, and please hackers and > various fuzzers > > Tested: ... > Fixes: cd8ae85299d5 ("tcp: provide SYN headers for passive connections") > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied, thanks Eric.
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 94f0b5b50e0d728c3edab175aee9d769cd80907f..04843ae77b9ecacb3e4f2e81096f11d35ae1915e 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2322,6 +2322,7 @@ int tcp_disconnect(struct sock *sk, int flags) tcp_init_send_head(sk); memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); __sk_dst_reset(sk); + tcp_saved_syn_free(tp); /* Clean up fastopen related fields */ tcp_free_fastopen_req(tp);