Commit 1ca9e250 authored by Ilpo Järvinen's avatar Ilpo Järvinen Committed by Greg Kroah-Hartman

TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)

patch 96a2d41a in mainline.

NULL ptr can be returned from tcp_write_queue_head to cached_skb
and then assigned to skb if packets_out was zero. Without this,
system is vulnerable to a carefully crafted ACKs which obviously
is remotely triggerable.

Besides, there's very little that needs to be done in sacktag
if there weren't any packets outstanding, just skipping the rest
doesn't hurt.
Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 5ef016ad
...@@ -994,6 +994,9 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_ ...@@ -994,6 +994,9 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window)) if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
return 0; return 0;
if (!tp->packets_out)
goto out;
/* SACK fastpath: /* SACK fastpath:
* if the only SACK change is the increase of the end_seq of * if the only SACK change is the increase of the end_seq of
* the first block then only apply that SACK block * the first block then only apply that SACK block
...@@ -1262,6 +1265,8 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_ ...@@ -1262,6 +1265,8 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
(!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark))) (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0); tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0);
out:
#if FASTRETRANS_DEBUG > 0 #if FASTRETRANS_DEBUG > 0
BUG_TRAP((int)tp->sacked_out >= 0); BUG_TRAP((int)tp->sacked_out >= 0);
BUG_TRAP((int)tp->lost_out >= 0); BUG_TRAP((int)tp->lost_out >= 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment