• Evgeniy Polyakov's avatar
    tcp: Fix slab corruption with ipv6 and tcp6fuzz · 9ae27e0a
    Evgeniy Polyakov authored
    From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
    
    This fixes a regression added by ec3c0982
    ("[TCP]: TCP_DEFER_ACCEPT updates - process as established")
    
    tcp_v6_do_rcv()->tcp_rcv_established(), the latter goes to step5, where
    eventually skb can be freed via tcp_data_queue() (drop: label), then if
    check for tcp_defer_accept_check() returns true and thus
    tcp_rcv_established() returns -1, which forces tcp_v6_do_rcv() to jump
    to reset: label, which in turn will pass through discard: label and free
    the same skb again.
    
    Tested by Eric Sesterhenn.
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Acked-By: default avatarPatrick McManus <mcmanus@ducksong.com>
    9ae27e0a
tcp_input.c 156 KB