diff options
| author | Cong Wang <xiyou.wangcong@gmail.com> | 2020-05-01 20:11:08 +0200 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-05-04 20:59:20 +0200 |
| commit | 93a2014afbace907178afc3c9c1e62c9a338595a (patch) | |
| tree | 4d072dccbc4a89676c4c0b16a27162c9a4cdbe79 /net/atm/lec.c | |
| parent | net: stmmac: gmac5+: fix potential integer overflow on 32 bit multiply (diff) | |
| download | linux-93a2014afbace907178afc3c9c1e62c9a338595a.tar.xz linux-93a2014afbace907178afc3c9c1e62c9a338595a.zip | |
atm: fix a UAF in lec_arp_clear_vccs()
Gengming reported a UAF in lec_arp_clear_vccs(),
where we add a vcc socket to an entry in a per-device
list but free the socket without removing it from the
list when vcc->dev is NULL.
We need to call lec_vcc_close() to search and remove
those entries contain the vcc being destroyed. This can
be done by calling vcc->push(vcc, NULL) unconditionally
in vcc_destroy_socket().
Another issue discovered by Gengming's reproducer is
the vcc->dev may point to the static device lecatm_dev,
for which we don't need to register/unregister device,
so we can just check for vcc->dev->ops->owner.
Reported-by: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/atm/lec.c')
0 files changed, 0 insertions, 0 deletions