Re: [PATCH] dccp: fix use-after-free after cloning struct dccp_sock

From: David Miller
Date: Tue Dec 22 2015 - 15:34:32 EST

Next message: Maxime Ripard: "Re: [PATCH] [media] rc: sunxi-cir: Initialize the spinlock properly"
Previous message: kbuild test robot: "Re: [PATCH RESEND v4] arm: remove !CPU_V6 and !GENERIC_ATOMIC64 build dependencies for XEN"
In reply to: Vegard Nossum: "[PATCH] dccp: fix use-after-free after cloning struct dccp_sock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
Date: Sun, 20 Dec 2015 21:53:27 +0100

> @@ -115,6 +115,10 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
> newdp->dccps_isr = dreq->dreq_isr;
> newdp->dccps_gsr = dreq->dreq_gsr;
>
> + newdp->dccps_hc_rx_ackvec = NULL;
> + newdp->dccps_hc_rx_ccid = NULL;
> + newdp->dccps_hc_tx_ccid = NULL;

->dccps_hc_rx_ackvec is set to NULL several lines above this, so you don't
need to add that case here.

WRT the ccid pointers, I don't think we can just NULL them out.

If the parent socket has these CCID features enabled, we have to
clone them into the child somehow.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Maxime Ripard: "Re: [PATCH] [media] rc: sunxi-cir: Initialize the spinlock properly"
Previous message: kbuild test robot: "Re: [PATCH RESEND v4] arm: remove !CPU_V6 and !GENERIC_ATOMIC64 build dependencies for XEN"
In reply to: Vegard Nossum: "[PATCH] dccp: fix use-after-free after cloning struct dccp_sock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]