diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-02-01 15:15:22 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-02-12 19:47:22 +0100 |
commit | 7c2361308e1727c3135ebb3b5c6906fb781bb261 (patch) | |
tree | 79abd74922621d0d2c6d2dd09dfb330f88e292cd /net/sctp | |
parent | 7cd4e833761f0dfccd3ae61be0a620684556601b (diff) | |
download | linux-stable-7c2361308e1727c3135ebb3b5c6906fb781bb261.tar.gz linux-stable-7c2361308e1727c3135ebb3b5c6906fb781bb261.tar.bz2 linux-stable-7c2361308e1727c3135ebb3b5c6906fb781bb261.zip |
sctp: walk the list of asoc safely
[ Upstream commit ba59fb0273076637f0add4311faa990a5eec27c0 ]
In sctp_sendmesg(), when walking the list of endpoint associations, the
association can be dropped from the list, making the list corrupt.
Properly handle this by using list_for_each_entry_safe()
Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
Reported-by: Secunia Research <vuln@secunia.com>
Tested-by: Secunia Research <vuln@secunia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/sctp')
-rw-r--r-- | net/sctp/socket.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 876393cf5ed6..e5e70cff5bb3 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -2045,7 +2045,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) struct sctp_endpoint *ep = sctp_sk(sk)->ep; struct sctp_transport *transport = NULL; struct sctp_sndrcvinfo _sinfo, *sinfo; - struct sctp_association *asoc; + struct sctp_association *asoc, *tmp; struct sctp_cmsgs cmsgs; union sctp_addr *daddr; bool new = false; @@ -2071,7 +2071,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) /* SCTP_SENDALL process */ if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { - list_for_each_entry(asoc, &ep->asocs, asocs) { + list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) { err = sctp_sendmsg_check_sflags(asoc, sflags, msg, msg_len); if (err == 0) |