evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/dccp
History
Alexey Kodanev de31c39167 dccp: check sk for closed state in dccp_sendmsg() 
[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-03-31 18:12:33 +02:00
..
ccids dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state 2018-01-31 12:06:12 +01:00
ackvec.c dccp: drop null test before destroy functions 2015-09-15 16:49:43 -07:00
ackvec.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
ccid.c dccp: drop null test before destroy functions 2015-09-15 16:49:43 -07:00
ccid.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
dccp.h tcp/dccp: fix hashdance race for passive sessions 2015-10-23 05:42:21 -07:00
diag.c sock_diag: specify info_size per inet protocol 2015-06-15 19:49:22 -07:00
feat.c dccp: fix a memleak for dccp_feat_init err process 2017-08-11 09:08:54 -07:00
feat.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
input.c dccp: fix freeing skb too early for IPV6_RECVPKTINFO 2017-02-26 11:07:50 +01:00
ipv4.c tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-11-18 11:11:07 +01:00
ipv6.c dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly 2017-08-11 09:08:54 -07:00
ipv6.h inet: includes a sock_common in request_sock 2013-10-10 00:08:07 -04:00
Kconfig net/dccp: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:39:34 -08:00
Makefile
minisocks.c dccp: fix use-after-free in dccp_feat_activate_values 2017-03-22 12:04:15 +01:00
options.c dccp: remove obsolete code 2014-01-04 20:18:49 -05:00
output.c dccp: constify dccp_make_response() socket argument 2015-09-25 13:00:39 -07:00
probe.c Use 64-bit timekeeping 2015-11-01 17:01:16 -05:00
proto.c dccp: check sk for closed state in dccp_sendmsg() 2018-03-31 18:12:33 +02:00
qpolicy.c
sysctl.c dccp: make the request_retries minimum is 1 2014-05-14 15:34:16 -04:00
timer.c inet: get rid of central tcp/dccp listener timer 2015-03-20 12:40:25 -04:00