Unverified Commit 71b9b918 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8982 fix CVE-2024-36905 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BGPPLPQ5LKDKIP54NW3QXPCL2VFELPZR/ 
fix CVE-2024-36905

Eric Dumazet (1):
  tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

Paolo Abeni (1):
  net: relax socket state check at accept time.


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9U4IQ 
 
Link:https://gitee.com/openeuler/kernel/pulls/8982

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents bb3285aa a1f98e0e

net/ipv4/af_inet.c

+3 −1
Original line number Diff line number Diff line
@@ -757,7 +757,9 @@ int inet_accept(struct socket *sock, struct socket *newsock, int flags, 
	sock_rps_record_flow(sk2);

	WARN_ON(!((1 << sk2->sk_state) &

		  (TCPF_ESTABLISHED | TCPF_SYN_RECV |

		  TCPF_CLOSE_WAIT | TCPF_CLOSE)));

		   TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 |

		   TCPF_CLOSING | TCPF_CLOSE_WAIT |

		   TCPF_CLOSE)));



	sock_graft(sk2, newsock);

net/ipv4/tcp.c

+2 −2
Original line number Diff line number Diff line
@@ -2527,7 +2527,7 @@ void tcp_shutdown(struct sock *sk, int how) 
	/* If we've already sent a FIN, or it's a closed state, skip this. */

	if ((1 << sk->sk_state) &

	    (TCPF_ESTABLISHED | TCPF_SYN_SENT |

	     TCPF_SYN_RECV | TCPF_CLOSE_WAIT)) {

	     TCPF_CLOSE_WAIT)) {

		/* Clear out any half completed packets.  FIN if needed. */

		if (tcp_close_state(sk))

			tcp_send_fin(sk);
@@ -2638,7 +2638,7 @@ void __tcp_close(struct sock *sk, long timeout) 
		 * machine. State transitions:

		 *

		 * TCP_ESTABLISHED -> TCP_FIN_WAIT1

		 * TCP_SYN_RECV	-> TCP_FIN_WAIT1 (forget it, it's impossible)

		 * TCP_SYN_RECV	-> TCP_FIN_WAIT1 (it is difficult)

		 * TCP_CLOSE_WAIT -> TCP_LAST_ACK

		 *

		 * are legal only when FIN has been sent (i.e. in window),

net/ipv4/tcp_input.c

+2 −0
Original line number Diff line number Diff line
@@ -6541,6 +6541,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) 


		tcp_initialize_rcv_mss(sk);

		tcp_fast_path_on(tp);

		if (sk->sk_shutdown & SEND_SHUTDOWN)

			tcp_shutdown(sk, SEND_SHUTDOWN);

		break;



	case TCP_FIN_WAIT1: {

net/ipv4/tcp_output.c

+3 −1
Original line number Diff line number Diff line
@@ -3495,7 +3495,9 @@ void tcp_send_fin(struct sock *sk) 
			return;

		}

	} else {

		skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);

		skb = alloc_skb_fclone(MAX_TCP_HEADER,

				       sk_gfp_mask(sk, GFP_ATOMIC |

						       __GFP_NOWARN));

		if (unlikely(!skb))

			return;