diff options
| author | Xin Long <lucien.xin@gmail.com> | 2018-05-10 17:34:13 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-05-19 10:26:58 +0200 |
| commit | 1f2b77e868d9ff002a312fd93ee20e636f80614d (patch) | |
| tree | 5cb3f6c80c2276e40c8cbbaa23ced0deaa11da0f /net/sctp | |
| parent | f9a670e10d274274fda7fd74220dfd1048dd332e (diff) | |
| download | linux-stable-1f2b77e868d9ff002a312fd93ee20e636f80614d.tar.gz linux-stable-1f2b77e868d9ff002a312fd93ee20e636f80614d.tar.bz2 linux-stable-1f2b77e868d9ff002a312fd93ee20e636f80614d.zip | |
sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg
[ Upstream commit 6910e25de2257e2c82c7a2d126e3463cd8e50810 ]
In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"),
it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later
in recvmsg. However, it also added sctp_chunk_put in fail_mark err path,
which is only triggered before holding the chunk.
syzbot reported a use-after-free crash happened on this err path, where
it shouldn't call sctp_chunk_put.
This patch simply removes this call.
Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too")
Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/sctp')
| -rw-r--r-- | net/sctp/ulpevent.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c index bea00058ce35..6825e05a68b2 100644 --- a/net/sctp/ulpevent.c +++ b/net/sctp/ulpevent.c @@ -723,7 +723,6 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc, return event; fail_mark: - sctp_chunk_put(chunk); kfree_skb(skb); fail: return NULL; |