linux/net/sctp
Xin Long 1cc276cec9 sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
Now sctp processes icmp redirect packet in sctp_icmp_redirect where
it calls sctp_transport_dst_check in which tp->dst can be released.

The problem is before calling sctp_transport_dst_check, it doesn't
check sock_owned_by_user, which means tp->dst could be freed while
a process is accessing it with owning the socket.

An use-after-free issue could be triggered by this.

This patch is to fix it by checking sock_owned_by_user before calling
sctp_transport_dst_check in sctp_icmp_redirect, so that it would not
release tp->dst if users still hold sock lock.

Besides, the same issue fixed in commit 45caeaa5ac ("dccp/tcp: fix
routing redirect race") on sctp also needs this check.

Fixes: 55be7a9c60 ("ipv4: Add redirect support to all protocol icmp error handlers")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-20 12:53:45 +01:00
..
associola.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
auth.c sctp: remove the typedef sctp_hmac_algo_param_t 2017-07-16 20:52:14 -07:00
bind_addr.c sctp: remove the typedef sctp_scope_t 2017-08-06 21:33:41 -07:00
chunk.c sctp: remove the typedef sctp_auth_chunk_t 2017-08-03 09:45:47 -07:00
debug.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
endpointola.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
input.c sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect 2017-10-20 12:53:45 +01:00
inqueue.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-21 17:06:42 -07:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: prepare asoc stream for stream reconf 2017-01-06 21:07:26 -05:00
objcnt.c sctp: remove the typedef sctp_dbg_objcnt_entry_t 2017-08-11 10:02:43 -07:00
offload.c net: use skb->csum_not_inet to identify packets needing crc32c 2017-05-19 19:21:29 -04:00
output.c sctp: remove the typedef sctp_xmit_t 2017-08-06 21:33:42 -07:00
outqueue.c sctp: remove the typedef sctp_xmit_t 2017-08-06 21:33:42 -07:00
primitive.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
probe.c sctp: remove the typedef sctp_disposition_t 2017-08-11 10:02:44 -07:00
proc.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
protocol.c sctp: remove the typedef sctp_scope_t 2017-08-06 21:33:41 -07:00
sctp_diag.c sctp: Fix a big endian bug in sctp_diag_dump() 2017-09-26 21:16:29 -07:00
sm_make_chunk.c sctp: fix some indents in sm_make_chunk.c 2017-08-11 10:02:44 -07:00
sm_sideeffect.c sctp: remove the typedef sctp_disposition_t 2017-08-11 10:02:44 -07:00
sm_statefuns.c sctp: remove the typedef sctp_disposition_t 2017-08-11 10:02:44 -07:00
sm_statetable.c sctp: remove the typedef sctp_sm_table_entry_t 2017-08-11 10:02:44 -07:00
socket.c sctp: do not peel off an assoc from one netns to another one 2017-10-19 13:16:07 +01:00
stream.c sctp: remove the typedef sctp_paramhdr_t 2017-07-01 09:08:41 -07:00
sysctl.c sctp: remove the typedef sctp_scope_policy_t 2017-08-06 21:33:41 -07:00
transport.c sctp: remove the typedef sctp_lower_cwnd_t 2017-08-06 21:33:41 -07:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: remove the typedef sctp_errhdr_t 2017-08-03 09:45:46 -07:00
ulpqueue.c sctp: fix missing wake ups in some situations 2017-09-08 10:02:47 -07:00