diff options
author | Menglong Dong <imagedong@tencent.com> | 2022-05-13 11:03:39 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2022-05-16 10:47:44 +0100 |
commit | f8319dfd1b3b3be6c08795017fc30f880f8bc861 (patch) | |
tree | e41b3286e8a9a62b0ded02ecd7b63c057cd39660 | |
parent | 7ebd3f3ee51a9e02994cd0a1be44fbd325d1e0dc (diff) |
net: tcp: reset 'drop_reason' to NOT_SPCIFIED in tcp_v{4,6}_rcv()
The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv()
and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the
return value of tcp_inbound_md5_hash().
And it can panic the kernel with NULL pointer in
net_dm_packet_report_size() if the reason is 0, as drop_reasons[0]
is NULL.
Fixes: 1330b6ef3313 ("skb: make drop reason booleanable")
Reviewed-by: Jiang Biao <benbjiang@tencent.com>
Reviewed-by: Hao Peng <flyingpeng@tencent.com>
Signed-off-by: Menglong Dong <imagedong@tencent.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp_ipv4.c | 1 | ||||
-rw-r--r-- | net/ipv6/tcp_ipv6.c | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 218ad871c0e4..f09bdfc6a321 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2101,6 +2101,7 @@ bad_packet: } discard_it: + SKB_DR_OR(drop_reason, NOT_SPECIFIED); /* Discard frame. */ kfree_skb_reason(skb, drop_reason); return 0; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 60bdec257ba7..636ed23d9af0 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1509,6 +1509,7 @@ reset: discard: if (opt_skb) __kfree_skb(opt_skb); + SKB_DR_OR(reason, NOT_SPECIFIED); kfree_skb_reason(skb, reason); return 0; csum_err: |