| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e438fc67-665a-48b6-b414-0641821e0bf3@kadam.mountain> Date: Fri, 6 Oct 2023 07:07:34 +0300 From: Dan Carpenter <dan.carpenter@...aro.org> To: Alexander Aring <aahringo@...hat.com> Cc: Alexander Aring <alex.aring@...il.com>, Stefan Schmidt <stefan@...enfreihafen.org>, Miquel Raynal <miquel.raynal@...tlin.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Angus Chen <angus.chen@...uarmicro.com>, Luis Chamberlain <mcgrof@...nel.org>, Joel Granados <joel.granados@...il.com>, linux-wpan@...r.kernel.org, netdev@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: Re: [PATCH net] 6lowpan: fix double free in lowpan_frag_rcv() On Thu, Oct 05, 2023 at 06:10:13PM -0400, Alexander Aring wrote: > Hi, > > On Wed, Oct 4, 2023 at 5:22 AM Dan Carpenter <dan.carpenter@...aro.org> wrote: > > > > The skb() is freed by the caller in lowpan_invoke_rx_handlers() so this > > free is a double free. > > > > lowpan_frag_rcv() does not call lowpan_invoke_rx_handlers(), it calls > lowpan_invoke_frag_rx_handlers(), or is there something I overlooked > here? Actually now that I look at it more closely this isn't a bug. The way I was looking at it was that it was the other way around. lowpan_invoke_rx_handlers() is the caller. But actually this returns -1. lowpan_invoke_rx_handlers() will pass the freed skb to lowpan_rx_handlers_result() but the -1 gets translated to RX_DROP in lowpan_rx_h_frag() then it just returns NET_RX_DROP. It's a no-op and not a double free. Sorry! regards, dan carpenter
Powered by blists - more mailing lists