| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Jan 2018 21:08:50 +0100
From: Jon Maloy <jon.maloy@...csson.com>
To: <davem@...emloft.net>, <netdev@...r.kernel.org>
CC: <mohan.krishna.ghanta.krishnamurthy@...csson.com>,
<tung.q.nguyen@...tech.com.au>, <hoang.h.le@...tech.com.au>,
<jon.maloy@...csson.com>, <canh.d.luu@...tech.com.au>,
<ying.xue@...driver.com>, <tipc-discussion@...ts.sourceforge.net>
Subject: [net-next 1/1] tipc: fix a potental access after delete in tipc_sk_join()
In commit d12d2e12cec2 "tipc: send out join messages as soon as new
member is discovered") we added a call to the function tipc_group_join()
without considering the case that the preceding tipc_sk_publish() might
have failed, and the group item already deleted.
We fix this by returning from tipc_sk_join() directly after the
failed tipc_sk_publish.
Reported-by: syzbot+e3eeae78ea88b8d6d858@...kaller.appspotmail.com
Signed-off-by: Jon Maloy <jon.maloy@...csson.com>
---
net/tipc/socket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 1f23627..f38264d 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2774,6 +2774,7 @@ static int tipc_sk_join(struct tipc_sock *tsk, struct tipc_group_req *mreq)
if (rc) {
tipc_group_delete(net, grp);
tsk->group = NULL;
+ return rc;
}
/* Eliminate any risk that a broadcast overtakes sent JOINs */
tsk->mc_method.rcast = true;
--
2.1.4
Powered by blists - more mailing lists