提交 c3658e8d 编写于 作者: E Eric Dumazet 提交者: David S. Miller

tcp: fix possible NULL dereference in tcp_vX_send_reset()

After commit ca777eff ("tcp: remove dst refcount false sharing for
prequeue mode") we have to relax check against skb dst in
tcp_v[46]_send_reset() if prequeue dropped the dst.

If a socket is provided, a full lookup was done to find this socket,
so the dst test can be skipped.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88191Reported-by: NJaša Bartelj <jasa.bartelj@gmail.com>
Signed-off-by: NEric Dumazet <edumazet@google.com>
Reported-by: NDaniel Borkmann <dborkman@redhat.com>
Fixes: ca777eff ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 43612d7c
...@@ -598,7 +598,10 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb) ...@@ -598,7 +598,10 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
if (th->rst) if (th->rst)
return; return;
if (skb_rtable(skb)->rt_type != RTN_LOCAL) /* If sk not NULL, it means we did a successful lookup and incoming
* route had to be correct. prequeue might have dropped our dst.
*/
if (!sk && skb_rtable(skb)->rt_type != RTN_LOCAL)
return; return;
/* Swap the send and the receive. */ /* Swap the send and the receive. */
......
...@@ -903,7 +903,10 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb) ...@@ -903,7 +903,10 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
if (th->rst) if (th->rst)
return; return;
if (!ipv6_unicast_destination(skb)) /* If sk not NULL, it means we did a successful lookup and incoming
* route had to be correct. prequeue might have dropped our dst.
*/
if (!sk && !ipv6_unicast_destination(skb))
return; return;
#ifdef CONFIG_TCP_MD5SIG #ifdef CONFIG_TCP_MD5SIG
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册