summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorWei Wang <weiwan@google.com>2017-03-02 00:29:48 +0300
committerDavid S. Miller <davem@davemloft.net>2017-03-03 01:05:41 +0300
commit7db92362d2fee5887f6b0c41653b8c9f8f5d6020 (patch)
tree4d1b45575d0b490061671c4dddaa32f795013e59 /drivers
parent94352d45092c23874532221b4d1e4721df9d63df (diff)
downloadlinux-7db92362d2fee5887f6b0c41653b8c9f8f5d6020.tar.xz
tcp: fix potential double free issue for fastopen_req
tp->fastopen_req could potentially be double freed if a malicious user does the following: 1. Enable TCP_FASTOPEN_CONNECT sockopt and do a connect() on the socket. 2. Call connect() with AF_UNSPEC to disconnect the socket. 3. Make this socket a listening socket by calling listen(). 4. Accept incoming connections and generate child sockets. All child sockets will get a copy of the pointer of fastopen_req. 5. Call close() on all sockets. fastopen_req will get freed multiple times. Fixes: 19f6d3f3c842 ("net/tcp-fastopen: Add new API support") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Wei Wang <weiwan@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions