Searched hist:"7 db92362d2fee5887f6b0c41653b8c9f8f5d6020" (Results 1 – 1 of 1) sorted by relevance
| /linux/net/ipv4/ |
| H A D | tcp.c | diff 7db92362d2fee5887f6b0c41653b8c9f8f5d6020 Wed Mar 01 22:29:48 CET 2017 Wei Wang <weiwan@google.com> tcp: fix potential double free issue for fastopen_req
tp->fastopen_req could potentially be double freed if a malicious
user does the following:
1. Enable TCP_FASTOPEN_CONNECT sockopt and do a connect() on the socket.
2. Call connect() with AF_UNSPEC to disconnect the socket.
3. Make this socket a listening socket by calling listen().
4. Accept incoming connections and generate child sockets. All child
sockets will get a copy of the pointer of fastopen_req.
5. Call close() on all sockets. fastopen_req will get freed multiple
times.
Fixes: 19f6d3f3c842 ("net/tcp-fastopen: Add new API support")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|