diff options
author | Xin Long <lucien.xin@gmail.com> | 2016-10-31 15:32:33 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-10-31 23:20:33 +0300 |
commit | dae399d7fdee84d8f5227a9711d95bb4e9a05d4e (patch) | |
tree | 5ea1f8d710959c462452efaa4fffc8d7d1f0cbb7 /net/sctp/ipv6.c | |
parent | 7c17fcc726903ffed1716351efdc617e752533ed (diff) | |
download | linux-dae399d7fdee84d8f5227a9711d95bb4e9a05d4e.tar.xz |
sctp: hold transport instead of assoc when lookup assoc in rx path
Prior to this patch, in rx path, before calling lock_sock, it needed to
hold assoc when got it by __sctp_lookup_association, in case other place
would free/put assoc.
But in __sctp_lookup_association, it lookup and hold transport, then got
assoc by transport->assoc, then hold assoc and put transport. It means
it didn't hold transport, yet it was returned and later on directly
assigned to chunk->transport.
Without the protection of sock lock, the transport may be freed/put by
other places, which would cause a use-after-free issue.
This patch is to fix this issue by holding transport instead of assoc.
As holding transport can make sure to access assoc is also safe, and
actually it looks up assoc by searching transport rhashtable, to hold
transport here makes more sense.
Note that the function will be renamed later on on another patch.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/ipv6.c')
-rw-r--r-- | net/sctp/ipv6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index f473779e8b1c..176af3080a2b 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -198,7 +198,7 @@ static void sctp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, } out_unlock: - sctp_err_finish(sk, asoc); + sctp_err_finish(sk, transport); out: if (likely(idev != NULL)) in6_dev_put(idev); |