git.baikalelectronics.ru Git - kernel.git/commit

author	Wei Wang <weiwan@google.com>
	Wed, 1 Mar 2017 21:29:48 +0000 (13:29 -0800)
committer	David S. Miller <davem@davemloft.net>
	Thu, 2 Mar 2017 22:05:41 +0000 (14:05 -0800)
commit	df94bb02ed84c32f196221d74a692e91bbeff283
tree	4d1b45575d0b490061671c4dddaa32f795013e59	tree \| snapshot
parent	a8cf3d5ed06e1fd9dbf61c7aa0f195ae29cf6aab	commit \| diff

tcp: fix potential double free issue for fastopen_req

tp->fastopen_req could potentially be double freed if a malicious
user does the following:
1. Enable TCP_FASTOPEN_CONNECT sockopt and do a connect() on the socket.
2. Call connect() with AF_UNSPEC to disconnect the socket.
3. Make this socket a listening socket by calling listen().
4. Accept incoming connections and generate child sockets. All child
sockets will get a copy of the pointer of fastopen_req.
5. Call close() on all sockets. fastopen_req will get freed multiple
times.

Fixes: 2629f61e4348 ("net/tcp-fastopen: Add new API support")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>