summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorSteven J. Magnani <steve@digidescorp.com>2010-03-30 22:56:01 +0200
committerDavid S. Miller <davem@davemloft.net>2010-03-30 22:56:01 +0200
commitbaff42ab1494528907bf4d5870359e31711746ae (patch)
tree82cfffb254ea1f5b95701d328375228f7ab343e6 /net
parentr8169: offical fix for CVE-2009-4537 (overlength frame DMAs) (diff)
downloadlinux-baff42ab1494528907bf4d5870359e31711746ae.tar.xz
linux-baff42ab1494528907bf4d5870359e31711746ae.zip
net: Fix oops from tcp_collapse() when using splice()
tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani <steve@digidescorp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/tcp.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 6afb6d8662b2..2c75f891914e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1368,6 +1368,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
sk_eat_skb(sk, skb, 0);
if (!desc->count)
break;
+ tp->copied_seq = seq;
}
tp->copied_seq = seq;