linux/net/sctp
Marcelo Ricardo Leitner 649621e3d5 sctp: fix use-after-free in pr_debug statement
Dmitry Vyukov reported a use-after-free in the code expanded by the
macro debug_post_sfx, which is caused by the use of the asoc pointer
after it was freed within sctp_side_effect() scope.

This patch fixes it by allowing sctp_side_effect to clear that asoc
pointer when the TCB is freed.

As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
because it will trigger DELETE_TCB too on that same loop.

Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
above. Fix it by returning SCTP_DISPOSITION_ABORT instead.

The macro is already prepared to handle such NULL pointer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-01-11 17:13:01 -05:00
..
associola.c mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd 2015-11-06 17:50:42 -08:00
auth.c sctp: translate host order to network order when setting a hmacid 2015-11-15 18:27:27 -05:00
bind_addr.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
chunk.c switch sctp_user_addto_chunk() and sctp_datamsg_from_user() to passing iov_iter 2014-11-24 05:16:40 -05:00
debug.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
endpointola.c net: sctp: migrate most recently used transport to ktime 2014-06-11 12:23:17 -07:00
input.c sctp: Change sctp to implement csum_levels 2014-08-29 20:41:11 -07:00
inqueue.c net: sctp: fix remote memory pressure from excessive queueing 2014-10-14 12:46:22 -04:00
ipv6.c ipv6: sctp: clone options to avoid use after free 2015-12-11 20:18:40 -05:00
Kconfig net: sctp: get rid of SCTP_DBG_TSNS entirely 2013-07-02 00:08:03 -07:00
Makefile net: sctp: Inline the functions from command.c 2014-07-08 14:38:48 -07:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
output.c sctp: Fix race between OOTB responce and route removal 2015-06-29 09:28:42 -07:00
outqueue.c sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING 2015-12-06 22:31:51 -05:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c sctp: loading sctp when load sctp_probe 2013-12-16 20:04:27 -05:00
proc.c sctp: replace seq_printf with seq_puts 2014-10-30 19:40:16 -04:00
protocol.c sctp: fix race on protocol/netns initialization 2015-09-11 15:00:02 -07:00
sm_make_chunk.c sctp: use the same clock as if sock source timestamps were on 2015-12-05 22:23:22 -05:00
sm_sideeffect.c sctp: fix use-after-free in pr_debug statement 2016-01-11 17:13:01 -05:00
sm_statefuns.c sctp: fix use-after-free in pr_debug statement 2016-01-11 17:13:01 -05:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close 2015-12-30 16:57:16 -05:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory 2016-01-10 18:01:01 -05:00
transport.c remove abs64() 2015-11-09 15:11:24 -08:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: Fixup v4mapped behaviour to comply with Sock API 2014-07-31 21:49:06 -07:00
ulpqueue.c net: introduce SO_INCOMING_CPU 2014-11-11 13:00:06 -05:00