Commit 142a2e7e authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: initialize tp->copied_seq in case of cross SYN connection 

Dmitry provided a syzkaller (http://github.com/google/syzkaller

)
generated program that triggers the WARNING at
net/ipv4/tcp.c:1729 in tcp_recvmsg() :

WARN_ON(tp->copied_seq != tp->rcv_nxt &&
        !(flags & (MSG_PEEK | MSG_TRUNC)));

His program is specifically attempting a Cross SYN TCP exchange,
that we support (for the pleasure of hackers ?), but it looks we
lack proper tcp->copied_seq initialization.

Thanks again Dmitry for your report and testings.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0f2c0d32

net/ipv4/tcp_input.c

+1 −0
Original line number Diff line number Diff line
@@ -5683,6 +5683,7 @@ discard: 
		}



		tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;

		tp->copied_seq = tp->rcv_nxt;

		tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;



		/* RFC1323: The window in SYN & SYN/ACK segments is

CRA Git | Maintained and supported by SUSTech CRA and CCSE