Prev: [PATCH v6 0/8] hid: new driver for PicoLCD device
Next: [RFC 7/9] ppp: use big tty mutex
From: Steven J. Magnani on 30 Mar 2010 16:50
tcp_read_sock() can have a eat skbs without immediately advancing copied_seq.
This can cause a panic in tcp_collapse() if it is called as a result
of the recv_actor dropping the socket lock.

A userspace program that splices data from a socket to either another
socket or to a file can trigger this bug.

Signed-off-by: Steven J. Magnani <steve(a)digidescorp.com>
---
diff -uprN a/net/ipv4/tcp.c b/net/ipv4/tcp.c
--- a/net/ipv4/tcp.c 2010-03-30 15:25:55.000000000 -0500
+++ b/net/ipv4/tcp.c 2010-03-30 15:27:49.000000000 -0500
@@ -1335,6 +1335,7 @@ int tcp_read_sock(struct sock *sk, read_
sk_eat_skb(sk, skb, 0);
if (!desc->count)
break;
+ tp->copied_seq = seq;
}
tp->copied_seq = seq;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [PATCH v6 0/8] hid: new driver for PicoLCD device
Next: [RFC 7/9] ppp: use big tty mutex