diff options
author | John Stultz <john.stultz@linaro.org> | 2016-05-12 11:17:52 -0700 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-07-28 19:49:12 -0700 |
commit | cf25e3a538799e40fedd1eac631defe947080390 (patch) | |
tree | 587ce40f05781c74db49311bf913edc50cd2b15f /net | |
parent | 52d2c42bc4044dd0f78f4b1e35c3010c8b9e6b18 (diff) |
xt_qtaguid: Fix panic caused by processing non-full socket.
In an issue very similar to 4e461c777e3 (xt_qtaguid: Fix panic
caused by synack processing), we were seeing panics on occasion
in testing.
In this case, it was the same issue, but caused by a different
call path, as the sk being returned from qtaguid_find_sk() was
not a full socket. Resulting in the sk->sk_socket deref to fail.
This patch adds an extra check to ensure the sk being retuned
is a full socket, and if not it returns NULL.
Change-Id: Icee0df589ea8d61a999e8c7ea3afdcf4a40b412b
CRs-Fixed: 1035969
Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Git-commit: cc0063b8eb44f08bb899fb47d562c67d73b7245b
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Bryse Flowers <bflowers@codeaurora.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/xt_qtaguid.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c index 822dc3c3bce1..e2e7d54f9bb1 100644 --- a/net/netfilter/xt_qtaguid.c +++ b/net/netfilter/xt_qtaguid.c @@ -1606,7 +1606,7 @@ static struct sock *qtaguid_find_sk(const struct sk_buff *skb, * When in TCP_TIME_WAIT the sk is not a "struct sock" but * "struct inet_timewait_sock" which is missing fields. */ - if (sk->sk_state == TCP_TIME_WAIT) { + if (!sk_fullsock(sk) || sk->sk_state == TCP_TIME_WAIT) { sock_gen_put(sk); sk = NULL; } |