path: root/net/ipv4/inet_hashtables.c
diff options
authorEric Dumazet <edumazet@google.com>2015-10-14 05:58:38 -0700
committerDavid S. Miller <davem@davemloft.net>2015-10-14 19:06:31 -0700
commitc2f34a65a61cd1ace3b53c93e8b38d2f79f4ff0d (patch)
tree1c6ceda4dc9a0e2c0287ceae9d3e96159894cc16 /net/ipv4/inet_hashtables.c
parentnet: phy: aquantia/teranetics: Convert to use module_phy_driver macro (diff)
tcp/dccp: fix potential NULL deref in __inet_inherit_port()
As we no longer hold listener lock in fast path, it is possible that a child is created right after listener freed its bound port, if a close() is done while incoming packets are processed. __inet_inherit_port() must detect this and return an error, so that caller can free the child earlier. Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 08643a3616af..958728a22001 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -137,6 +137,10 @@ int __inet_inherit_port(const struct sock *sk, struct sock *child)
tb = inet_csk(sk)->icsk_bind_hash;
+ if (unlikely(!tb)) {
+ spin_unlock(&head->lock);
+ return -ENOENT;
+ }
if (tb->port != port) {
/* NOTE: using tproxy and redirecting skbs to a proxy
* on a different listener port breaks the assumption