forked from Minki/linux
inet: fix possible request socket leak
In commitb357a364c5
("inet: fix possible panic in reqsk_queue_unlink()"), I missed fact that tcp_check_req() can return the listener socket in one case, and that we must release the request socket refcount or we leak it. Tested: Following packetdrill test template shows the issue 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 +0 < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop> +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK> +.002 < . 1:1(0) ack 21 win 2920 +0 > R 21:21(0) Fixes:b357a364c5
("inet: fix possible panic in reqsk_queue_unlink()") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
2235f2ac75
commit
3257d8b12f
@ -1348,7 +1348,7 @@ static struct sock *tcp_v4_hnd_req(struct sock *sk, struct sk_buff *skb)
|
||||
req = inet_csk_search_req(sk, th->source, iph->saddr, iph->daddr);
|
||||
if (req) {
|
||||
nsk = tcp_check_req(sk, skb, req, false);
|
||||
if (!nsk)
|
||||
if (!nsk || nsk == sk)
|
||||
reqsk_put(req);
|
||||
return nsk;
|
||||
}
|
||||
|
@ -943,7 +943,7 @@ static struct sock *tcp_v6_hnd_req(struct sock *sk, struct sk_buff *skb)
|
||||
&ipv6_hdr(skb)->daddr, tcp_v6_iif(skb));
|
||||
if (req) {
|
||||
nsk = tcp_check_req(sk, skb, req, false);
|
||||
if (!nsk)
|
||||
if (!nsk || nsk == sk)
|
||||
reqsk_put(req);
|
||||
return nsk;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user