tcp: initialize tp->copied_seq in case of cross SYN connection

[ Upstream commit 142a2e7ece8d8ac0e818eb2c91f99ca894730e2a ] Dmitry provided a syzkaller (http://github.com/google/syzkaller) generated program that triggers the WARNING at net/ipv4/tcp.c:1729 in tcp_recvmsg() : WARN_ON(tp->copied_seq != tp->rcv_nxt && !(flags & (MSG_PEEK | MSG_TRUNC))); His program is specifically attempting a Cross SYN TCP exchange, that we support (for the pleasure of hackers ?), but it looks we lack proper tcp->copied_seq initialization. Thanks again Dmitry for your report and testings. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Eric Dumazet <edumazet@google.com> 2015-11-26 19:18:14 +0300
committer: Ben Hutchings <ben@decadent.org.uk> 2015-12-30 05:26:01 +0300
commit: 6cfa9781d3bf950eed455369966bbdf9d05871c5 (patch)
tree: 479d32e928c479efe2eee16c2af64aa36e458f83 /net/ipv4/tcp_input.c
parent: ca194f27b9dcd0d389b83f27c3a5c84caacb6246 (diff)
download: linux-6cfa9781d3bf950eed455369966bbdf9d05871c5.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index f8b58997c38e..3877e1678247 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5811,6 +5811,7 @@ discard:
 		}
 
 		tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
+		tp->copied_seq = tp->rcv_nxt;
 		tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;
 
 		/* RFC1323: The window in SYN & SYN/ACK segments is
author	Eric Dumazet <edumazet@google.com>	2015-11-26 19:18:14 +0300
committer	Ben Hutchings <ben@decadent.org.uk>	2015-12-30 05:26:01 +0300
commit	6cfa9781d3bf950eed455369966bbdf9d05871c5 (patch)
tree	479d32e928c479efe2eee16c2af64aa36e458f83 /net/ipv4/tcp_input.c
parent	ca194f27b9dcd0d389b83f27c3a5c84caacb6246 (diff)
download	linux-6cfa9781d3bf950eed455369966bbdf9d05871c5.tar.xz