net: Fix oops from tcp_collapse() when using splice() - linux

diff options

author	Steven J. Magnani <steve@digidescorp.com>	2010-03-30 22:56:01 +0200
committer	David S. Miller <davem@davemloft.net>	2010-03-30 22:56:01 +0200
commit	baff42ab1494528907bf4d5870359e31711746ae (patch)
tree	82cfffb254ea1f5b95701d328375228f7ab343e6 /net/ipv4/fib_lookup.h
parent	r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) (diff)
download	linux-baff42ab1494528907bf4d5870359e31711746ae.tar.xz linux-baff42ab1494528907bf4d5870359e31711746ae.zip

net: Fix oops from tcp_collapse() when using splice()

tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani <steve@digidescorp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'net/ipv4/fib_lookup.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: