linux_old1/net/dccp
Gerrit Renker d28934ad8a dccp: Fix panic caused by too early termination of retransmission mechanism
Thanks is due to Wei Yongjun for the detailed analysis and description of this
bug at http://marc.info/?l=dccp&m=121739364909199&w=2

The problem is that invalid packets received by a client in state REQUEST cause
the retransmission timer for the DCCP-Request to be reset. This includes freeing
the Request-skb ( in dccp_rcv_request_sent_state_process() ). As a consequence,
 * the arrival of further packets cause a double-free, triggering a panic(),
 * the connection then may hang, since further retransmissions are blocked.

This patch changes the order of statements so that the retransmission timer is
reset, and the pending Request freed, only if a valid Response has arrived (or
the number of sysctl-retries has been exhausted).

Further changes:
----------------
To be on the safe side, replaced __kfree_skb with kfree_skb so that if due to
unexpected circumstances the sk_send_head is NULL the WARN_ON is used instead.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-08-18 21:14:20 -07:00
..
ccids dccp ccid-3: Length of loss intervals 2008-07-13 11:51:40 +01:00
Kconfig [DCCP]: Promote CCID2 as default CCID 2008-01-28 14:54:46 -08:00
Makefile [DCCPv6]: Resolve conditional build problem 2006-12-02 21:22:28 -08:00
ackvec.c dccp: Fix sparse warnings 2008-06-11 11:19:09 +01:00
ackvec.h [ACKVEC]: Reduce length of identifiers 2008-01-28 14:54:51 -08:00
ccid.c [CCID]: More informative registration 2008-01-28 14:57:58 -08:00
ccid.h [DCCP]: Introducing CCMPS 2008-01-28 14:57:59 -08:00
dccp.h tcp: Fix kernel panic when calling tcp_v(4/6)_md5_do_lookup 2008-08-06 23:50:04 -07:00
diag.c [INET]: Let inet_diag and friends autoload 2007-10-22 02:59:54 -07:00
feat.c dccp: return -EINVAL on invalid feature length 2008-05-05 13:50:24 -07:00
feat.h [DCCP]: Remove unused and redundant validation functions 2008-01-28 14:57:52 -08:00
input.c dccp: Fix panic caused by too early termination of retransmission mechanism 2008-08-18 21:14:20 -07:00
ipv4.c dccp: Fix incorrect length check for ICMPv4 packets 2008-07-26 11:59:10 +01:00
ipv6.c dccp: Add check for truncated ICMPv6 DCCP error packets 2008-07-26 11:59:11 +01:00
ipv6.h Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
minisocks.c tcp: Fix kernel panic when calling tcp_v(4/6)_md5_do_lookup 2008-08-06 23:50:04 -07:00
options.c dccp: Upgrade NDP count from 3 to 6 bytes 2008-07-13 11:51:40 +01:00
output.c dccp: Bug-Fix - AWL was never updated 2008-07-26 11:59:10 +01:00
probe.c dccp: Fix sparse warnings 2008-06-11 11:19:09 +01:00
proto.c dccp: change L/R must have at least one byte in the dccpsf_val field 2008-08-13 13:48:39 -07:00
sysctl.c [NET]: Simple ctl_table to ctl_path conversions. 2008-01-28 15:01:07 -08:00
timer.c dccp: Allow to distinguish original and retransmitted packets 2008-07-26 11:59:09 +01:00