| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Nov 2019 12:05:40 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: netdev@...r.kernel.org
Cc: Cong Wang <xiyou.wangcong@...il.com>,
syzbot+9fe8e3f6c64aa5e5d82c@...kaller.appspotmail.com
Subject: [Patch net] netrom: fix a potential NULL pointer dereference
It is possible that the skb gets removed between skb_peek() and
skb_dequeue(). So we should just check the return value of
skb_dequeue(). Otherwise, skb_clone() may get a NULL pointer.
Technically, this should be protected by sock lock, but netrom
doesn't use it correctly. It is harder to fix sock lock than just
fixing this.
Reported-by: syzbot+9fe8e3f6c64aa5e5d82c@...kaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
---
net/netrom/nr_out.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 44929657f5b7..9491a0c02bce 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -131,9 +131,6 @@ void nr_kick(struct sock *sk)
if (nr->condition & NR_COND_PEER_RX_BUSY)
return;
- if (!skb_peek(&sk->sk_write_queue))
- return;
-
start = (skb_peek(&nr->ack_queue) == NULL) ? nr->va : nr->vs;
end = (nr->va + nr->window) % NR_MODULUS;
@@ -151,6 +148,8 @@ void nr_kick(struct sock *sk)
* Dequeue the frame and copy it.
*/
skb = skb_dequeue(&sk->sk_write_queue);
+ if (!skb)
+ return;
do {
if ((skbn = skb_clone(skb, GFP_ATOMIC)) == NULL) {
--
2.21.0
Powered by blists - more mailing lists