| From 96a2d41a3e495734b63bff4e5dd0112741b93b38 Mon Sep 17 00:00:00 2001 |
| From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> |
| Date: Wed, 14 Nov 2007 15:47:18 -0800 |
| Subject: TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501) |
| |
| From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> |
| patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline. |
| |
| NULL ptr can be returned from tcp_write_queue_head to cached_skb |
| and then assigned to skb if packets_out was zero. Without this, |
| system is vulnerable to a carefully crafted ACKs which obviously |
| is remotely triggerable. |
| |
| Besides, there's very little that needs to be done in sacktag |
| if there weren't any packets outstanding, just skipping the rest |
| doesn't hurt. |
| |
| Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| |
| --- |
| net/ipv4/tcp_input.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/net/ipv4/tcp_input.c |
| +++ b/net/ipv4/tcp_input.c |
| @@ -1012,6 +1012,9 @@ tcp_sacktag_write_queue(struct sock *sk, |
| if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window)) |
| return 0; |
| |
| + if (!tp->packets_out) |
| + goto out; |
| + |
| /* SACK fastpath: |
| * if the only SACK change is the increase of the end_seq of |
| * the first block then only apply that SACK block |
| @@ -1280,6 +1283,8 @@ tcp_sacktag_write_queue(struct sock *sk, |
| (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark))) |
| tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0); |
| |
| +out: |
| + |
| #if FASTRETRANS_DEBUG > 0 |
| BUG_TRAP((int)tp->sacked_out >= 0); |
| BUG_TRAP((int)tp->lost_out >= 0); |