diff options
author | Eric Dumazet <edumazet@google.com> | 2017-02-04 01:59:38 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-04-18 08:55:44 +0300 |
commit | 337bb5f3fd50872e4bdac43c097fd7bf926f24a9 (patch) | |
tree | 469f2249c4f4ea787ebe69511c3f0d91cf4043fb | |
parent | c12d69340ee7cd97da07cc8549b7f08bbaae71af (diff) | |
download | linux-337bb5f3fd50872e4bdac43c097fd7bf926f24a9.tar.xz |
tcp: avoid infinite loop in tcp_splice_read()
[ Upstream commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 ]
Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.
__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.
This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.
Again, this gem was found by syzkaller tool.
Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/ipv4/tcp.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index a21c47289765..daf3b217b1e4 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -775,6 +775,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, ret = -EAGAIN; break; } + /* if __tcp_splice_read() got nothing while we have + * an skb in receive queue, we do not want to loop. + * This might happen with URG data. + */ + if (!skb_queue_empty(&sk->sk_receive_queue)) + break; sk_wait_data(sk, &timeo); if (signal_pending(current)) { ret = sock_intr_errno(timeo); |