diff options
| author | John Stultz <john.stultz@linaro.org> | 2016-05-12 11:17:52 -0700 |
|---|---|---|
| committer | Amit Pundir <amit.pundir@linaro.org> | 2016-05-19 12:35:13 +0530 |
| commit | 4158b3431f473aad101da1100a9b241ff8b3cc74 (patch) | |
| tree | 1950e0732f819823a032b895a9f124d3c4c29e99 /net | |
| parent | f73ca028a0a4cc307597efc6ef2c910dc2d20639 (diff) | |
xt_qtaguid: Fix panic caused by processing non-full socket.
In an issue very similar to 4e461c777e3 (xt_qtaguid: Fix panic
caused by synack processing), we were seeing panics on occasion
in testing.
In this case, it was the same issue, but caused by a different
call path, as the sk being returned from qtaguid_find_sk() was
not a full socket. Resulting in the sk->sk_socket deref to fail.
This patch adds an extra check to ensure the sk being retuned
is a full socket, and if not it returns NULL.
Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_qtaguid.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c index 822dc3c3bce1..e2e7d54f9bb1 100644 --- a/net/netfilter/xt_qtaguid.c +++ b/net/netfilter/xt_qtaguid.c @@ -1606,7 +1606,7 @@ static struct sock *qtaguid_find_sk(const struct sk_buff *skb, * When in TCP_TIME_WAIT the sk is not a "struct sock" but * "struct inet_timewait_sock" which is missing fields. */ - if (sk->sk_state == TCP_TIME_WAIT) { + if (!sk_fullsock(sk) || sk->sk_state == TCP_TIME_WAIT) { sock_gen_put(sk); sk = NULL; } |
