tcp: Fix use-after-free of nreq in reqsk_timer_handler(). (c31e72d0) · Commits · linux-arm / linux-power

Commit c31e72d0 authored Nov 23, 2024 by Kuniyuki Iwashima Committed by Paolo Abeni Nov 28, 2024

tcp: Fix use-after-free of nreq in reqsk_timer_handler().



The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with
__inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler().

Then, oreq should be passed to reqsk_put() instead of req; otherwise
use-after-free of nreq could happen when reqsk is migrated but the
retry attempt failed (e.g. due to timeout).

Let's pass oreq to reqsk_put().

Fixes: e8c526f2 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Reported-by: Liu Jian <liujian56@huawei.com>
Closes: https://lore.kernel.org/netdev/1284490f-9525-42ee-b7b8-ccadf6606f6d@huawei.com/


Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Liu Jian <liujian56@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20241123174236.62438-1-kuniyu@amazon.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent e2668c34

Hide whitespace changes

Inline Side-by-side

Please register or to comment