diff options
| author | Eric Dumazet <[email protected]> | 2014-11-25 15:40:04 +0000 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2014-11-25 19:29:18 +0000 |
| commit | c3658e8d0f10147fc86018be7f11668246c156d3 (patch) | |
| tree | a25e9383d5b91d6062aa4770e6a181e9079d0396 /net/ipv6/tcp_ipv6.c | |
| parent | Revert "netfilter: conntrack: fix race in __nf_conntrack_confirm against get_... (diff) | |
| download | kernel-c3658e8d0f10147fc86018be7f11668246c156d3.tar.gz kernel-c3658e8d0f10147fc86018be7f11668246c156d3.zip | |
tcp: fix possible NULL dereference in tcp_vX_send_reset()
After commit ca777eff51f7 ("tcp: remove dst refcount false sharing for
prequeue mode") we have to relax check against skb dst in
tcp_v[46]_send_reset() if prequeue dropped the dst.
If a socket is provided, a full lookup was done to find this socket,
so the dst test can be skipped.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88191
Reported-by: Jaša Bartelj <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Daniel Borkmann <[email protected]>
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index ace29b60813c..dc495ae2ead0 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -903,7 +903,10 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb) if (th->rst) return; - if (!ipv6_unicast_destination(skb)) + /* If sk not NULL, it means we did a successful lookup and incoming + * route had to be correct. prequeue might have dropped our dst. + */ + if (!sk && !ipv6_unicast_destination(skb)) return; #ifdef CONFIG_TCP_MD5SIG |