tcp: fix crash in tcp_xmit_retransmit_queue

It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd17 (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: Ilpo Järvinen <[email protected]> Reported-by: Lennart Schulte <[email protected]> Tested-by: Lennart Schulte <[email protected]> Signed-off-by: David S. Miller <[email protected]>
mrcsosa · Jul 19, 2010 · 45e77d3 · 45e77d3
1 parent b508998
commit 45e77d3
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
@@ -2208,6 +2208,9 @@ void tcp_xmit_retransmit_queue(struct sock *sk)
 	int mib_idx;
 	int fwd_rexmitting = 0;
 
+	if (!tp->packets_out)
+		return;
+
 	if (!tp->lost_out)
 		tp->retransmit_high = tp->snd_una;