summaryrefslogtreecommitdiff
path: root/drivers/net
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2020-02-06 00:39:37 +0100
committerDavid S. Miller <davem@davemloft.net>2020-02-06 11:25:09 +0100
commitb0519de8b3f1caf10632aca55def999ec2d2f1bc (patch)
treeb95ccc010e7691b0715d76e2b9f74e4489876894 /drivers/net
parent0202d293c2faecba791ba4afc5aec086249c393d (diff)
downloadlwn-b0519de8b3f1caf10632aca55def999ec2d2f1bc.tar.gz
lwn-b0519de8b3f1caf10632aca55def999ec2d2f1bc.zip
mptcp: fix use-after-free for ipv6
Turns out that when we accept a new subflow, the newly created inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the listener socket. This wasn't caught by the selftest because it closes the accepted fd before the listening one. adding a close(listenfd) after accept returns is enough: BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790 Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518 Call Trace: inet6_getname+0x6ba/0x790 __sys_getpeername+0x10b/0x250 __x64_sys_getpeername+0x6f/0xb0 also alter test program to exercise this. Reported-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
0 files changed, 0 insertions, 0 deletions