lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri,  9 Aug 2013 12:07:29 +0200
From:	Daniel Borkmann <dborkman@...hat.com>
To:	davem@...emloft.net
Cc:	netdev@...r.kernel.org, linux-sctp@...r.kernel.org
Subject: [PATCH net] net: sctp: sctp_transport_destroy{,_rcu}: fix potential pointer corruption

Probably this one is quite unlikely to be triggered, but it's more safe
to hold a pointer to asoc and packet (instead of dereferencing) and access
both though this after we have called sctp_transport_destroy_rcu() where
the transport is being kfree()'d. Introduced by commit 8c98653f ("sctp:
sctp_close: fix release of bindings for deferred call_rcu's").

Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
---
 net/sctp/transport.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index bdbbc3f..7142756 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -176,6 +176,9 @@ static void sctp_transport_destroy_rcu(struct rcu_head *head)
  */
 static void sctp_transport_destroy(struct sctp_transport *transport)
 {
+	struct sctp_association *asoc = transport->asoc;
+	struct sctp_packet *packet = &transport->packet;
+
 	if (unlikely(!transport->dead)) {
 		WARN(1, "Attempt to destroy undead transport %p!\n", transport);
 		return;
@@ -183,10 +186,10 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
 
 	call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
 
-	sctp_packet_free(&transport->packet);
+	sctp_packet_free(packet);
 
-	if (transport->asoc)
-		sctp_association_put(transport->asoc);
+	if (asoc != NULL)
+		sctp_association_put(asoc);
 }
 
 /* Start T3_rtx timer if it is not already running and update the heartbeat
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ