On 12/14/2015 04:50 AM, David Laight wrote: > From: Vlad Yasevich >> Sent: 11 December 2015 18:38 > ... >>> Found a similar place in abort primitive handling like in this last >>> patch update, it's probably the issue you're still triggering. >>> >>> Also found another place that may lead to this use after free, in case >>> we receive a packet with a chunk that has no data. >>> >>> Oh my.. :) >> >> Yes. This is what I was worried about... Anything that triggers >> a DELTE_TCB command has to return a code that we can trap. >> >> The other way is to do what Dmitri suggested, but even there, we >> need to be very careful. > > I'm always wary of anything that queues actions up for later processing. > It is far too easy (as found here) to end up processing actions > in invalid states, or to process actions in 'unusual' orders when > specific events happen close together. > > I wonder how much fallout there'd be from getting the sctp code > to immediately action things, instead of queuing the actions for later. > It would certainly remove a lot of the unusual combinations of events. > We've bandied this idea around for a while, but no one has had the time to tackle this. This would be rather time-consuming task, but in the end might be a good idea. -vlad > David > > -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
