nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

sctp: ensure ep is not destroyed before doing the dump

Browse source 
Now before dumping a sock in sctp_diag, it only holds the sock while
the ep may be already destroyed. It can cause a use-after-free panic
when accessing ep->asocs.

This patch is to set sctp_sk(sk)->ep NULL in sctp_endpoint_destroy,
and check if this ep is already destroyed before dumping this ep.

Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdrver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Xin Long 2017-06-17 16:10:27 +08:00 committed by David S. Miller
parent 7fe5b91431
commit 86fdb3448c
2 changed files with 4 additions and 2 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

1
net/sctp/endpointola.c
View file

@ -275,6 +275,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
if (sctp_sk(sk)->bind_hash) if (sctp_sk(sk)->bind_hash)
sctp_put_port(sk); sctp_put_port(sk);
sctp_sk(sk)->ep = NULL;
sock_put(sk); sock_put(sk);
} }

5
net/sctp/sctp_diag.c
View file

@ -278,7 +278,6 @@ static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p)
static int sctp_sock_dump(struct sock *sk, void *p) static int sctp_sock_dump(struct sock *sk, void *p)
{ {
struct sctp_endpoint *ep = sctp_sk(sk)->ep;
struct sctp_comm_param *commp = p; struct sctp_comm_param *commp = p;
struct sk_buff *skb = commp->skb; struct sk_buff *skb = commp->skb;
struct netlink_callback *cb = commp->cb; struct netlink_callback *cb = commp->cb;
@ -287,7 +286,9 @@ static int sctp_sock_dump(struct sock *sk, void *p)
int err = 0; int err = 0;
lock_sock(sk); lock_sock(sk);
list_for_each_entry(assoc, &ep->asocs, asocs) { if (!sctp_sk(sk)->ep)
goto release;
list_for_each_entry(assoc, &sctp_sk(sk)->ep->asocs, asocs) {
if (cb->args[4] < cb->args[1]) if (cb->args[4] < cb->args[1])
goto next; goto next;