linux/net
Gerrit Renker d28934ad8a dccp: Fix panic caused by too early termination of retransmission mechanism
Thanks is due to Wei Yongjun for the detailed analysis and description of this
bug at http://marc.info/?l=dccp&m=121739364909199&w=2

The problem is that invalid packets received by a client in state REQUEST cause
the retransmission timer for the DCCP-Request to be reset. This includes freeing
the Request-skb ( in dccp_rcv_request_sent_state_process() ). As a consequence,
 * the arrival of further packets cause a double-free, triggering a panic(),
 * the connection then may hang, since further retransmissions are blocked.

This patch changes the order of statements so that the retransmission timer is
reset, and the pending Request freed, only if a valid Response has arrived (or
the number of sysctl-retries has been exhausted).

Further changes:
----------------
To be on the safe side, replaced __kfree_skb with kfree_skb so that if due to
unexpected circumstances the sk_send_head is NULL the WARN_ON is used instead.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-08-18 21:14:20 -07:00
..
9p flag parameters: socket and socketpair 2008-07-24 10:47:27 -07:00
802 list_for_each_rcu must die: networking 2008-07-25 10:53:27 -07:00
8021q netdev: Handle ->addr_list_lock just like ->_xmit_lock for lockdep. 2008-07-22 14:16:42 -07:00
appletalk net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
atm atm: fix const assignment/discard warnings in the ATM networking driver 2008-07-30 16:31:46 -07:00
ax25 AX.25: Fix sysctl registration if !CONFIG_AX25_DAMA_SLAVE 2008-08-05 18:46:57 -07:00
bluetooth [Bluetooth] Add parameters to control BNEP header compression 2008-08-07 22:26:54 +02:00
bridge bridge: show offload settings 2008-08-15 19:51:07 -07:00
can netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
core pkt_sched: Fix missed RCU unlock in dev_queue_xmit() 2008-08-17 23:37:16 -07:00
dccp dccp: Fix panic caused by too early termination of retransmission mechanism 2008-08-18 21:14:20 -07:00
decnet netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
econet netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
ethernet [NET]: Return more appropriate error from eth_validate_addr(). 2008-04-13 22:45:40 -07:00
ieee80211 wext: Emit event stream entries correctly when compat. 2008-06-16 18:50:49 -07:00
ipv4 ipv4: Disable route secret interval on zero interval 2008-08-15 13:44:31 -07:00
ipv6 ipv6: Fix the return interface index when get it while no message is received. 2008-08-17 23:21:52 -07:00
ipx netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
irda Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-07-20 17:43:29 -07:00
iucv Merge branch 'linus' into cpus4096-for-linus 2008-07-21 17:19:50 +02:00
key net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
lapb [LAPB] net/lapb/lapb_iface.c: use LIST_HEAD instead of LIST_HEAD_INIT 2008-01-28 14:56:52 -08:00
llc netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
mac80211 mac80211: keep mesh ifaces in allmulti mode 2008-08-07 09:49:04 -04:00
netfilter netfilter: fix two recent sysctl problems 2008-08-06 02:35:44 -07:00
netlabel netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
netlink net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
netrom netdev: Handle ->addr_list_lock just like ->_xmit_lock for lockdep. 2008-07-22 14:16:42 -07:00
packet net: convert BUG_TRAP to generic WARN_ON 2008-07-25 21:43:18 -07:00
rfkill RFKILL: set the status of the leds on activation. 2008-08-01 15:31:33 -04:00
rose netdev: Handle ->addr_list_lock just like ->_xmit_lock for lockdep. 2008-07-22 14:16:42 -07:00
rxrpc net/rxrpc: Use an IS_ERR test rather than a NULL test 2008-08-13 02:40:48 -07:00
sched pkt_sched: Don't hold qdisc lock over qdisc_destroy(). 2008-08-18 21:06:19 -07:00
sctp netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() 2008-08-14 15:33:21 -07:00
sunrpc Merge branch 'linus' into cpus4096 2008-07-28 21:14:43 +02:00
tipc net/tipc/subscr.c: don't use ___constant_swab32 2008-08-13 02:32:06 -07:00
unix Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2008-07-26 20:23:44 -07:00
wanrouter wanmain.c doesn't need syncppp.h 2008-07-23 23:00:36 +02:00
wireless wext: Send name on events 2008-08-13 02:39:56 -07:00
x25 netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
xfrm xfrm: remove unnecessary variable in xfrm_output_resume() 2nd try 2008-08-13 13:35:37 -07:00
compat.c flag parameters: paccept 2008-07-24 10:47:27 -07:00
Kconfig net: Make "networking" one-click deselectable. 2008-07-30 03:27:53 -07:00
Makefile vlan: uninline __vlan_hwaccel_rx 2008-07-08 03:23:36 -07:00
nonet.c
socket.c SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
sysctl_net.c missing bits of net-namespace / sysctl 2008-07-27 09:45:34 -07:00
TUNABLE