tcp: Fix slab corruption with ipv6 and tcp6fuzz

From: Evgeniy Polyakov <johnpol@2ka.mipt.ru> This fixes a regression added by ec3c098 ("[TCP]: TCP_DEFER_ACCEPT updates - process as established") tcp_v6_do_rcv()->tcp_rcv_established(), the latter goes to step5, where eventually skb can be freed via tcp_data_queue() (drop: label), then if check for tcp_defer_accept_check() returns true and thus tcp_rcv_established() returns -1, which forces tcp_v6_do_rcv() to jump to reset: label, which in turn will pass through discard: label and free the same skb again. Tested by Eric Sesterhenn. Signed-off-by: David S. Miller <davem@davemloft.net> Acked-By: Patrick McManus <mcmanus@ducksong.com>
mariux64 · Apr 27, 2008 · 9ae27e0 · 9ae27e0
1 parent dae5029
commit 9ae27e0
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
@@ -4925,8 +4925,7 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
 	tcp_data_snd_check(sk);
 	tcp_ack_snd_check(sk);
 
-	if (tcp_defer_accept_check(sk))
-		return -1;
+	tcp_defer_accept_check(sk);
 	return 0;
 
 csum_error: