forked from Minki/linux
649621e3d5
Dmitry Vyukov reported a use-after-free in the code expanded by the macro debug_post_sfx, which is caused by the use of the asoc pointer after it was freed within sctp_side_effect() scope. This patch fixes it by allowing sctp_side_effect to clear that asoc pointer when the TCB is freed. As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case because it will trigger DELETE_TCB too on that same loop. Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme above. Fix it by returning SCTP_DISPOSITION_ABORT instead. The macro is already prepared to handle such NULL pointer. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
associola.c | ||
auth.c | ||
bind_addr.c | ||
chunk.c | ||
debug.c | ||
endpointola.c | ||
input.c | ||
inqueue.c | ||
ipv6.c | ||
Kconfig | ||
Makefile | ||
objcnt.c | ||
output.c | ||
outqueue.c | ||
primitive.c | ||
probe.c | ||
proc.c | ||
protocol.c | ||
sm_make_chunk.c | ||
sm_sideeffect.c | ||
sm_statefuns.c | ||
sm_statetable.c | ||
socket.c | ||
ssnmap.c | ||
sysctl.c | ||
transport.c | ||
tsnmap.c | ||
ulpevent.c | ||
ulpqueue.c |