On 13/10/2020 19:18, Kleber Sacilotto de Souza wrote: > rom: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> > > This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. > > This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be > kept, allowing the socket to be reused as a listener socket, and the cloned > socket will free its dccps_hc_tx_ccid, leading to a later use after free, > when the listener socket is closed. > > This addresses CVE-2020-16119. > > Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) > Reported-by: Hadar Manor > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@xxxxxxxxxxxxx> > --- Acked-by: Richard Sailer <richard_siegfried@xxxxxxxxxxxx>
Attachment:
signature.asc
Description: OpenPGP digital signature