| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Aug 2021 11:19:34 -0700
From: Rao Shoaib <Rao.Shoaib@...cle.com>
To: netdev@...r.kernel.org, kuba@...nel.org, rao.shoaib@...cle.com,
viro@...iv.linux.org.uk, edumazet@...gle.com
Subject: [PATCH] af_unix: check socket state when queuing OOB
edumazet@...gle.com pointed out that queue_oob
does not check socket state after acquiring
the lock. He also pointed to an incorrect usage
of kfree_skb and an unnecessary setting of skb
length. This patch addresses those issue.
Signed-off-by: Rao Shoaib <Rao.Shoaib@...cle.com>
---
net/unix/af_unix.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a626e52c629a..0f59fed993d8 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1891,7 +1891,6 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
return err;
skb_put(skb, 1);
- skb->len = 1;
err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
if (err) {
@@ -1900,11 +1899,19 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
}
unix_state_lock(other);
+
+ if (sock_flag(other, SOCK_DEAD) ||
+ (other->sk_shutdown & RCV_SHUTDOWN)) {
+ unix_state_unlock(other);
+ kfree_skb(skb);
+ return -EPIPE;
+ }
+
maybe_add_creds(skb, sock, other);
skb_get(skb);
if (ousk->oob_skb)
- kfree_skb(ousk->oob_skb);
+ consume_skb(ousk->oob_skb);
ousk->oob_skb = skb;
--
2.27.0
Powered by blists - more mailing lists