On Mon, Jan 11, 2016 at 11:13 PM, David Miller <davem@xxxxxxxxxxxxx> wrote: > From: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> > Date: Fri, 8 Jan 2016 11:00:54 -0200 > >> Dmitry Vyukov reported a use-after-free in the code expanded by the >> macro debug_post_sfx, which is caused by the use of the asoc pointer >> after it was freed within sctp_side_effect() scope. >> >> This patch fixes it by allowing sctp_side_effect to clear that asoc >> pointer when the TCB is freed. >> >> As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case >> because it will trigger DELETE_TCB too on that same loop. >> >> Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED >> but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme >> above. Fix it by returning SCTP_DISPOSITION_ABORT instead. >> >> The macro is already prepared to handle such NULL pointer. >> >> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> >> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> > > Applied, thank you. Tested with this patch for half a day. I did not see any reports related to pr_debug. Let's consider this as fixed. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
