linux/net
Gerrit Renker 720dc34bbb dccp: fix oops on Reset after close
This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.

 dccp_v4_do_rcv() 
	|
	| state other than OPEN
	v
 dccp_rcv_state_process()
	|
	| DCCP_PKT_RESET
	v
 dccp_rcv_reset()
	|
	v
 dccp_time_wait()

 WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
 Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
 [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
 [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
 [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
 [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
 [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
 [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
 [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
 [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
 [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)

The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.

Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-01 23:02:07 -08:00
..
9p net/9p: Use proper data types 2011-01-11 09:58:07 -06:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q 8021q: vlan device is lockless do not transfer real_num_{tx|rx}_queues 2010-11-28 10:47:19 -08:00
appletalk
atm Merge branch 'for-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2011-01-07 16:58:04 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv batman-adv: Linearize fragment packets before merge 2011-02-08 00:54:31 +01:00
bluetooth Bluetooth: Release BTM while sleeping to avoid deadlock 2011-02-16 15:54:11 -03:00
bridge bridge: Use IPv6 link-local address for multicast listener queries 2011-02-22 10:07:29 -08:00
caif net/caif: Fix dangling list pointer in freed object on error. 2011-02-08 14:31:31 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2011-01-13 10:25:24 -08:00
core net: handle addr_type of 0 properly 2011-02-25 13:58:54 -08:00
dcb Don't potentially dereference NULL in net/dcb/dcbnl.c:dcbnl_getapp() 2011-02-13 11:21:14 -08:00
dccp dccp: fix oops on Reset after close 2011-03-01 23:02:07 -08:00
decnet Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
dns_resolver Net: dns_resolver: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:10 -08:00
dsa module: fix missing semicolons in MODULE macro usage 2011-01-24 14:32:54 +10:30
econet econet: remove compiler warnings 2011-01-27 14:15:54 -08:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
ipv4 tcp: undo_retrans counter fixes 2011-02-21 11:31:18 -08:00
ipv6 sysctl: ipv6: use correct net in ipv6_sysctl_rtcache_flush 2011-02-25 11:01:56 -08:00
ipx BKL: introduce CONFIG_BKL. 2010-10-21 15:44:13 +02:00
irda Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-26 22:37:05 -08:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key
l2tp Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
lapb Net: lapb: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:14 -08:00
llc net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-22 11:53:05 -08:00
netfilter netfilter: tproxy: do not assign timewait sockets to skb->sk 2011-02-17 11:32:38 +01:00
netlabel net: kill unused macros 2010-12-19 21:59:35 -08:00
netlink netlink: handle errors from netlink_dump() 2011-02-28 12:18:12 -08:00
netrom
packet net: Use skb_checksum_start_offset() 2010-12-16 14:43:14 -08:00
phonet phonet: some signedness bugs 2011-01-10 13:33:17 -08:00
rds Net: rds: Makefile: Remove deprecated items 2010-11-22 08:16:15 -08:00
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose
rxrpc rxrpc: rxrpc_workqueue isn't used during memory reclaim 2011-01-14 09:25:11 -08:00
sched net: Fix more stale on-stack list_head objects. 2011-02-20 11:49:45 -08:00
sctp sctp: fix reporting of unknown parameters 2011-02-19 19:06:55 -08:00
sunrpc NFS do not find client in NFSv4 pg_authenticate 2011-01-25 15:26:51 -05:00
tipc tipc: update log.h re-include protection to reflect new name 2011-01-01 14:56:18 -08:00
unix af_unix: Avoid socket->sk NULL OOPS in stream connect security hooks. 2011-01-05 15:38:53 -08:00
wanrouter Net: wanrouter: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:16 -08:00
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-22 11:53:05 -08:00
x25 x25: Do not reference freed memory. 2011-02-09 22:36:13 -08:00
xfrm xfrm: avoid possible oopse in xfrm_alloc_dst 2011-02-10 23:08:33 -08:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
Makefile net: Add batman-adv meshing protocol 2010-12-16 13:44:24 -08:00
nonet.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
socket.c pass default dentry_operations to mount_pseudo() 2011-01-12 20:03:43 -05:00
sysctl_net.c
TUNABLE