Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2019-06-11 09:55:01 +0200
committerMichal Kubecek <mkubecek@suse.cz>2019-06-11 09:55:01 +0200
commit52c6a0b0c92828c67ff5d491bb541b899e5b902d (patch)
tree1e454831b306a7c953490566895081e0113491d9
parent69a83dd956dfd20fd534acd9bfd1f42fd7f91c76 (diff)
tcp: fix fack_count accounting on tcp_shift_skb_data()
(CVE-2019-11477 bsc#1137586). suse-commit: 4a006b25335fa286c6ee433d8c176aa5cd67b3fe
-rw-r--r--net/ipv4/tcp_input.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 85119df5bbbf..75a2b0a665ac 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1419,6 +1419,7 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
struct tcp_sock *tp = tcp_sk(sk);
struct sk_buff *prev;
int mss;
+ int next_pcount;
int pcount = 0;
int len;
int in_sack;
@@ -1535,9 +1536,11 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
goto out;
len = skb->len;
- pcount = tcp_skb_pcount(skb);
- if (tcp_skb_shift(prev, skb, pcount, len))
- tcp_shifted_skb(sk, skb, state, pcount, len, mss, 0);
+ next_pcount = tcp_skb_pcount(skb);
+ if (tcp_skb_shift(prev, skb, next_pcount, len)) {
+ pcount += next_pcount;
+ tcp_shifted_skb(sk, skb, state, next_pcount, len, mss, 0);
+ }
out:
state->fack_count += pcount;