diff options
author | Steven J. Magnani <steve@digidescorp.com> | 2010-03-30 22:56:01 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-03-30 22:56:01 +0200 |
commit | baff42ab1494528907bf4d5870359e31711746ae (patch) | |
tree | 82cfffb254ea1f5b95701d328375228f7ab343e6 /net | |
parent | r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) (diff) | |
download | linux-baff42ab1494528907bf4d5870359e31711746ae.tar.xz linux-baff42ab1494528907bf4d5870359e31711746ae.zip |
net: Fix oops from tcp_collapse() when using splice()
tcp_read_sock() can have a eat skbs without immediately advancing copied_seq.
This can cause a panic in tcp_collapse() if it is called as a result
of the recv_actor dropping the socket lock.
A userspace program that splices data from a socket to either another
socket or to a file can trigger this bug.
Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/tcp.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 6afb6d8662b2..2c75f891914e 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1368,6 +1368,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, sk_eat_skb(sk, skb, 0); if (!desc->count) break; + tp->copied_seq = seq; } tp->copied_seq = seq; |