diff options
author | Tuong Lien <tuong.t.lien@dektech.com.au> | 2019-12-10 09:21:05 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-12-11 02:45:04 +0100 |
commit | 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 (patch) | |
tree | 5d8a20136f6e21f51bf569332b008a9fbb69527b /net/tipc/discover.c | |
parent | tipc: fix retrans failure due to wrong destination (diff) | |
download | linux-31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9.tar.xz linux-31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9.zip |
tipc: fix use-after-free in tipc_disc_rcv()
In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
to read the header data field but after the message skb has been freed,
that might result in a garbage value...
This commit fixes it by defining a new local variable to store the data
first, just like the other header fields' handling.
Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/discover.c')
-rw-r--r-- | net/tipc/discover.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/tipc/discover.c b/net/tipc/discover.c index b043e8c6397a..bfe43da127c0 100644 --- a/net/tipc/discover.c +++ b/net/tipc/discover.c @@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb, { struct tipc_net *tn = tipc_net(net); struct tipc_msg *hdr = buf_msg(skb); + u32 pnet_hash = msg_peer_net_hash(hdr); u16 caps = msg_node_capabilities(hdr); bool legacy = tn->legacy_addr_format; u32 sugg = msg_sugg_node_addr(hdr); @@ -242,9 +243,8 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb, return; if (!tipc_in_scope(legacy, b->domain, src)) return; - tipc_node_check_dest(net, src, peer_id, b, caps, signature, - msg_peer_net_hash(hdr), &maddr, &respond, - &dupl_addr); + tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash, + &maddr, &respond, &dupl_addr); if (dupl_addr) disc_dupl_alert(b, src, &maddr); if (!respond) |