Commit ce4a7d0d48bbaed78ccbb0bafb9229651a40303a
Committed by
David S. Miller
David S. Miller
1 parent
45d465bc23
Exists in
master
and in
20 other branches
inet{6}_request_sock: Init ->opt and ->pktopts in the constructor
Wei Yongjun noticed that we may call reqsk_free on request sock objects where the opt fields may not be initialized, fix it by introducing inet_reqsk_alloc where we initialize ->opt to NULL and set ->pktopts to NULL in inet6_reqsk_alloc. Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 8 changed files with 16 additions and 9 deletions Side-by-side Diff
include/linux/ipv6.h
include/net/inet_sock.h
| ... | ... | @@ -197,5 +197,15 @@ |
| 197 | 197 | return skb->rtable->rt_iif; |
| 198 | 198 | } |
| 199 | 199 | |
| 200 | +static inline struct request_sock *inet_reqsk_alloc(struct request_sock_ops *ops) | |
| 201 | +{ | |
| 202 | + struct request_sock *req = reqsk_alloc(ops); | |
| 203 | + | |
| 204 | + if (req != NULL) | |
| 205 | + inet_rsk(req)->opt = NULL; | |
| 206 | + | |
| 207 | + return req; | |
| 208 | +} | |
| 209 | + | |
| 200 | 210 | #endif /* _INET_SOCK_H */ |
net/dccp/ipv4.c
| ... | ... | @@ -589,7 +589,7 @@ |
| 589 | 589 | if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) |
| 590 | 590 | goto drop; |
| 591 | 591 | |
| 592 | - req = reqsk_alloc(&dccp_request_sock_ops); | |
| 592 | + req = inet_reqsk_alloc(&dccp_request_sock_ops); | |
| 593 | 593 | if (req == NULL) |
| 594 | 594 | goto drop; |
| 595 | 595 | |
| ... | ... | @@ -605,7 +605,6 @@ |
| 605 | 605 | ireq = inet_rsk(req); |
| 606 | 606 | ireq->loc_addr = ip_hdr(skb)->daddr; |
| 607 | 607 | ireq->rmt_addr = ip_hdr(skb)->saddr; |
| 608 | - ireq->opt = NULL; | |
| 609 | 608 | |
| 610 | 609 | /* |
| 611 | 610 | * Step 3: Process LISTEN state |
net/dccp/ipv6.c
| ... | ... | @@ -421,7 +421,6 @@ |
| 421 | 421 | ireq6 = inet6_rsk(req); |
| 422 | 422 | ipv6_addr_copy(&ireq6->rmt_addr, &ipv6_hdr(skb)->saddr); |
| 423 | 423 | ipv6_addr_copy(&ireq6->loc_addr, &ipv6_hdr(skb)->daddr); |
| 424 | - ireq6->pktopts = NULL; | |
| 425 | 424 | |
| 426 | 425 | if (ipv6_opt_accepted(sk, skb) || |
| 427 | 426 | np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || |
net/ipv4/syncookies.c
| ... | ... | @@ -285,7 +285,7 @@ |
| 285 | 285 | cookie_check_timestamp(&tcp_opt); |
| 286 | 286 | |
| 287 | 287 | ret = NULL; |
| 288 | - req = reqsk_alloc(&tcp_request_sock_ops); /* for safety */ | |
| 288 | + req = inet_reqsk_alloc(&tcp_request_sock_ops); /* for safety */ | |
| 289 | 289 | if (!req) |
| 290 | 290 | goto out; |
| 291 | 291 | |
| ... | ... | @@ -301,7 +301,6 @@ |
| 301 | 301 | ireq->rmt_port = th->source; |
| 302 | 302 | ireq->loc_addr = ip_hdr(skb)->daddr; |
| 303 | 303 | ireq->rmt_addr = ip_hdr(skb)->saddr; |
| 304 | - ireq->opt = NULL; | |
| 305 | 304 | ireq->snd_wscale = tcp_opt.snd_wscale; |
| 306 | 305 | ireq->rcv_wscale = tcp_opt.rcv_wscale; |
| 307 | 306 | ireq->sack_ok = tcp_opt.sack_ok; |
net/ipv4/tcp_ipv4.c
net/ipv6/syncookies.c
net/ipv6/tcp_ipv6.c
| ... | ... | @@ -1299,7 +1299,6 @@ |
| 1299 | 1299 | treq = inet6_rsk(req); |
| 1300 | 1300 | ipv6_addr_copy(&treq->rmt_addr, &ipv6_hdr(skb)->saddr); |
| 1301 | 1301 | ipv6_addr_copy(&treq->loc_addr, &ipv6_hdr(skb)->daddr); |
| 1302 | - treq->pktopts = NULL; | |
| 1303 | 1302 | if (!want_cookie) |
| 1304 | 1303 | TCP_ECN_create_request(req, tcp_hdr(skb)); |
| 1305 | 1304 |