mptcp: fix use-after-free for ipv6 - kernel - saturneric's kernel source tree

diff options

author	Florian Westphal <[email protected]>	2020-02-05 23:39:37 +0000
committer	David S. Miller <[email protected]>	2020-02-06 10:25:09 +0000
commit	b0519de8b3f1caf10632aca55def999ec2d2f1bc (patch)
tree	b95ccc010e7691b0715d76e2b9f74e4489876894 /net/unix/af_unix.c
parent	qed: Fix timestamping issue for L2 unicast ptp packets. (diff)
download	kernel-b0519de8b3f1caf10632aca55def999ec2d2f1bc.tar.gz kernel-b0519de8b3f1caf10632aca55def999ec2d2f1bc.zip

mptcp: fix use-after-free for ipv6

Turns out that when we accept a new subflow, the newly created inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the listener socket. This wasn't caught by the selftest because it closes the accepted fd before the listening one. adding a close(listenfd) after accept returns is enough: BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790 Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518 Call Trace: inet6_getname+0x6ba/0x790 __sys_getpeername+0x10b/0x250 __x64_sys_getpeername+0x6f/0xb0 also alter test program to exercise this. Reported-by: Christoph Paasch <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: David S. Miller <[email protected]>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: