Patch "tcp: fix potential memory corruption" has been added to the 4.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    tcp: fix potential memory corruption

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-fix-potential-memory-corruption.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Fri Nov 18 11:09:43 CET 2016
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Wed, 2 Nov 2016 07:53:17 -0700
Subject: tcp: fix potential memory corruption

From: Eric Dumazet <edumazet@xxxxxxxxxx>


[ Upstream commit ac9e70b17ecd7c6e933ff2eaf7ab37429e71bf4d ]

Imagine initial value of max_skb_frags is 17, and last
skb in write queue has 15 frags.

Then max_skb_frags is lowered to 14 or smaller value.

tcp_sendmsg() will then be allowed to add additional page frags
and eventually go past MAX_SKB_FRAGS, overflowing struct
skb_shared_info.

Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Hans Westgaard Ry <hans.westgaard.ry@xxxxxxxxxx>
Cc: Håkon Bugge <haakon.bugge@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/ipv4/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1212,7 +1212,7 @@ new_segment:
 
 			if (!skb_can_coalesce(skb, i, pfrag->page,
 					      pfrag->offset)) {
-				if (i == sysctl_max_skb_frags || !sg) {
+				if (i >= sysctl_max_skb_frags || !sg) {
 					tcp_mark_push(tp, skb);
 					goto new_segment;
 				}


Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are

queue-4.4/net-__skb_flow_dissect-must-cap-its-return-value.patch
queue-4.4/tcp-take-care-of-truncations-done-by-sk_filter.patch
queue-4.4/net-clear-sk_err_soft-in-sk_clone_lock.patch
queue-4.4/net-mangle-zero-checksum-in-skb_checksum_help.patch
queue-4.4/ipv6-dccp-fix-out-of-bound-access-in-dccp_v6_err.patch
queue-4.4/ipv6-dccp-add-missing-bind_conflict-to-dccp_ipv6_mapped.patch
queue-4.4/tcp-fix-potential-memory-corruption.patch
queue-4.4/dccp-do-not-send-reset-to-already-closed-sockets.patch
queue-4.4/dccp-fix-out-of-bound-access-in-dccp_v4_err.patch
queue-4.4/sock-fix-sendmmsg-for-partial-sendmsg.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]