summaryrefslogtreecommitdiff
path: root/net/ax25
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-04-11 16:15:36 -0400
committerDavid S. Miller <davem@davemloft.net>2014-04-11 16:15:36 -0400
commit676d23690fb62b5d51ba5d659935e9f7d9da9f8e (patch)
treef6fbceee43e05c724868153ca37b702fb5e43b8c /net/ax25
parentad20d5f673898578f9d8a156d7a4c921f5ca4584 (diff)
downloadlwn-676d23690fb62b5d51ba5d659935e9f7d9da9f8e.tar.gz
lwn-676d23690fb62b5d51ba5d659935e9f7d9da9f8e.zip
net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ax25')
-rw-r--r--net/ax25/ax25_in.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 96f4cab3a2f9..7ed8ab724819 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -422,7 +422,7 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
if (sk) {
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk, skb->len);
+ sk->sk_data_ready(sk);
sock_put(sk);
} else {
free: