brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 15:26:21 +09:00
Code Issues Projects Releases Wiki Activity
4.9-2.0.x-imx
linux-brain/net/sctp
History
Xin Long 36bf8bc54a sctp: hold transport before accessing its asoc in sctp_transport_get_next 
[ Upstream commit bab1be79a5 ]

As Marcelo noticed, in sctp_transport_get_next, it is iterating over
transports but then also accessing the association directly, without
checking any refcnts before that, which can cause an use-after-free
Read.

So fix it by holding transport before accessing the association. With
that, sctp_transport_hold calls can be removed in the later places.

Fixes: 626d16f50f ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-15 09:42:56 +02:00
..
associola.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-19 10:26:59 +02:00
auth.c sctp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
bind_addr.c sctp: fix copying more bytes than expected in sctp_add_bind_addr 2016-03-08 15:04:08 -05:00
chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
debug.c net: sctp: fix array overrun read on sctp_timer_tbl 2017-12-09 22:01:53 +01:00
endpointola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
input.c sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect 2017-11-18 11:22:21 +01:00
inqueue.c sctp: fix the issue that the cookie-ack with auth can't get processed 2018-05-19 10:26:59 +02:00
ipv6.c sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr 2018-05-19 10:26:58 +02:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: Add GSO support 2016-06-03 19:37:21 -04:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
offload.c gso: validate gso_type in GSO handlers 2018-01-31 12:55:55 +01:00
output.c sctp: fix the panic caused by route update 2016-10-26 17:32:19 -04:00
outqueue.c sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune 2018-02-25 11:05:47 +01:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
proc.c sctp: hold transport before accessing its asoc in sctp_transport_get_next 2018-09-15 09:42:56 +02:00
protocol.c sctp: fix dst refcnt leak in sctp_v4_get_dst 2018-03-11 16:21:32 +01:00
sctp_diag.c sctp: Avoid out-of-bounds reads from address storage 2017-09-20 08:19:54 +02:00
sm_make_chunk.c sctp: verify size of a new chunk in _sctp_make_chunk() 2018-03-11 16:21:34 +01:00
sm_sideeffect.c sctp: make sctp_outq_flush/tail/uncork return void 2016-09-18 22:02:33 -04:00
sm_statefuns.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-19 10:26:59 +02:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c sctp: hold transport before accessing its asoc in sctp_transport_get_next 2018-09-15 09:42:56 +02:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
transport.c sctp: not allow transport timeout value less than HZ/5 for hb_timer 2018-06-13 16:16:43 +02:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg 2018-05-19 10:26:58 +02:00
ulpqueue.c sctp: fix missing wake ups in some situations 2017-09-20 08:19:56 +02:00