Skip to content

Commit

Permalink
net: tcp: fix crashes trying to free half-baked MTU probes
Browse files Browse the repository at this point in the history 
tcp_stream_alloc_skb() initializes the skb to use tcp_tsorted_anchor
which is a union with the destructor. We need to clean that
TCP-iness up before freeing.

Fixes: 7360132 ("tcp: let tcp_mtu_probe() build headless packets")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231010173651.3990234-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
  • Loading branch information
Jakub Kicinski committed Oct 12, 2023
1 parent 8bcfc9d commit 71c299c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/ipv4/tcp_output.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2456,6 +2456,7 @@ static int tcp_mtu_probe(struct sock *sk)

/* build the payload, and be prepared to abort if this fails. */
if (tcp_clone_payload(sk, nskb, probe_size)) {
tcp_skb_tsorted_anchor_cleanup(nskb);
consume_skb(nskb);
return -1;
}
Expand Down

0 comments on commit 71c299c

Please sign in to comment.