| From foo@baz Fri Dec 11 11:39:46 EST 2015 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Thu, 26 Nov 2015 08:18:14 -0800 |
| Subject: tcp: initialize tp->copied_seq in case of cross SYN connection |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| [ Upstream commit 142a2e7ece8d8ac0e818eb2c91f99ca894730e2a ] |
| |
| Dmitry provided a syzkaller (http://github.com/google/syzkaller) |
| generated program that triggers the WARNING at |
| net/ipv4/tcp.c:1729 in tcp_recvmsg() : |
| |
| WARN_ON(tp->copied_seq != tp->rcv_nxt && |
| !(flags & (MSG_PEEK | MSG_TRUNC))); |
| |
| His program is specifically attempting a Cross SYN TCP exchange, |
| that we support (for the pleasure of hackers ?), but it looks we |
| lack proper tcp->copied_seq initialization. |
| |
| Thanks again Dmitry for your report and testings. |
| |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Tested-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/tcp_input.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/ipv4/tcp_input.c |
| +++ b/net/ipv4/tcp_input.c |
| @@ -5575,6 +5575,7 @@ discard: |
| } |
| |
| tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1; |
| + tp->copied_seq = tp->rcv_nxt; |
| tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1; |
| |
| /* RFC1323: The window in SYN & SYN/ACK segments is |