summaryrefslogtreecommitdiffstats
path: root/net/netlink
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2013-08-09 16:25:21 +0200
committerDavid S. Miller <davem@davemloft.net>2013-08-13 07:13:47 +0200
commit771085d6bf3c52de29fc213e5bad07a82e57c23e (patch)
treed303a22b45461e2d728dd1e59dfce9bb38cf3e8f /net/netlink
parentnet: sctp: sctp_assoc_control_transport: fix MTU size in SCTP_PF state (diff)
downloadlinux-771085d6bf3c52de29fc213e5bad07a82e57c23e.tar.xz
linux-771085d6bf3c52de29fc213e5bad07a82e57c23e.zip
net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlink')
0 files changed, 0 insertions, 0 deletions