| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Sep 2022 18:07:27 +0800
From: Liang He <windhl@....com>
To: davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org
Cc: windhl@....com
Subject: [PATCH] ipv4: ping: Fix potential use-after-free bug
In ping_unhash(), we should move sock_put(sk) after any possible
access point as the put function may free the object.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Liang He <windhl@....com>
---
I have found other places containing similar code patterns.
net/ipv4/ping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index b83c2bd9d722..f90c86d37ffc 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -157,10 +157,10 @@ void ping_unhash(struct sock *sk)
spin_lock(&ping_table.lock);
if (sk_hashed(sk)) {
hlist_nulls_del_init_rcu(&sk->sk_nulls_node);
- sock_put(sk);
isk->inet_num = 0;
isk->inet_sport = 0;
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+ sock_put(sk);
}
spin_unlock(&ping_table.lock);
}
--
2.25.1
Powered by blists - more mailing lists