Commit:     96a2d41a3e495734b63bff4e5dd0112741b93b38
Parent:     fb93134dfc2a6e6fbedc7c270a31da03fce88db9
Author:     Ilpo J�rvinen <[EMAIL PROTECTED]>
AuthorDate: Wed Nov 14 15:47:18 2007 -0800
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Wed Nov 14 15:47:18 2007 -0800

    [TCP]: Make sure write_queue_from does not begin with NULL ptr
    NULL ptr can be returned from tcp_write_queue_head to cached_skb
    and then assigned to skb if packets_out was zero. Without this,
    system is vulnerable to a carefully crafted ACKs which obviously
    is remotely triggerable.
    Besides, there's very little that needs to be done in sacktag
    if there weren't any packets outstanding, just skipping the rest
    doesn't hurt.
    Signed-off-by: Ilpo J�rvinen <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
 net/ipv4/tcp_input.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 12ae9a6..3f126ec 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1269,6 +1269,9 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff 
*ack_skb, u32 prior_snd_
        if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - 
                return 0;
+       if (!tp->packets_out)
+               goto out;
        /* SACK fastpath:
         * if the only SACK change is the increase of the end_seq of
         * the first block then only apply that SACK block
@@ -1515,6 +1518,8 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff 
*ack_skb, u32 prior_snd_
            (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
                tcp_update_reordering(sk, tp->fackets_out - reord, 0);
        BUG_TRAP((int)tp->sacked_out >= 0);
        BUG_TRAP((int)tp->lost_out >= 0);
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to