| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 03 May 2007 10:53:15 +0100 From: David Howells <dhowells@...hat.com> To: akpm@...l.org Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org, kaber@...sh.net, dhowells@...hat.com Subject: [PATCH 1/5] [NETLINK]: Fix use after free in netlink_recvmsg When the user passes in MSG_TRUNC the skb is used after getting freed. Signed-off-by: Patrick McHardy <kaber@...sh.net> Signed-off-by: David Howells <dhowells@...hat.com> --- net/netlink/af_netlink.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 42d2fb9..7419f70 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1245,16 +1245,14 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, siocb->scm = &scm; } siocb->scm->creds = *NETLINK_CREDS(skb); + if (flags & MSG_TRUNC) + copied = skb->len; skb_free_datagram(sk, skb); if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) netlink_dump(sk); scm_recv(sock, msg, siocb->scm, flags); - - if (flags & MSG_TRUNC) - copied = skb->len; - out: netlink_rcv_wake(sk); return err ? : copied; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists