lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Nov 2007 01:13:42 +0100 From: Patrick McHardy <kaber@...sh.net> To: Joe Perches <joe@...ches.com> CC: "Luis R. Rodriguez" <mcgrof@...il.com>, netdev@...r.kernel.org, linux-wireless@...r.kernel.org, Jeff Garzik <jeff@...zik.org>, David Miller <davem@...emloft.net> Subject: Re: [PATCH] Fix infinite loop on dev_mc_unsync() Joe Perches wrote: > On Sat, 2007-11-10 at 00:12 +0100, Patrick McHardy wrote: > >> This may cause a use-after-free since __dev_addr_delete frees the address >> when all references are gone. >> > > How about a comment then? Perhaps: > > diff --git a/net/core/dev_mcast.c b/net/core/dev_mcast.c > index ae35405..63576aa 100644 > --- a/net/core/dev_mcast.c > +++ b/net/core/dev_mcast.c > @@ -165,16 +165,23 @@ void dev_mc_unsync(struct net_device *to, struct net_device *from) > netif_tx_lock_bh(from); > netif_tx_lock_bh(to); > > + /* > + This while loop can't be written as > + for (da = from->mc_list; da; da = da->next) > + da = from->mc_list and __dev_addr_delete can kfree(from->mc_list) > + which could cause a use-after-free of da->next > + */ > Seems unnecessary to me, we also don't comment each list_for_each_entry_safe iteration. I consider the use of a seperate next variable self-explanatory. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists