diff options
author | Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | 2016-01-08 11:00:54 -0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-01-11 17:13:01 -0500 |
commit | 649621e3d54439ae232d726d7beef295d3887a68 (patch) | |
tree | e8229276e251856aab325ce510d22cd51a35e3f0 /net/ipv4 | |
parent | 366ce60315292a579b8ceae2777102e1954a2024 (diff) | |
download | lwn-649621e3d54439ae232d726d7beef295d3887a68.tar.gz lwn-649621e3d54439ae232d726d7beef295d3887a68.zip |
sctp: fix use-after-free in pr_debug statement
Dmitry Vyukov reported a use-after-free in the code expanded by the
macro debug_post_sfx, which is caused by the use of the asoc pointer
after it was freed within sctp_side_effect() scope.
This patch fixes it by allowing sctp_side_effect to clear that asoc
pointer when the TCB is freed.
As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
because it will trigger DELETE_TCB too on that same loop.
Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
The macro is already prepared to handle such NULL pointer.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
0 files changed, 0 insertions, 0 deletions