On Sat, Oct 29, 2016 at 5:39 AM, Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> wrote: > On Fri, Oct 28, 2016 at 05:42:21PM -0200, Marcelo Ricardo Leitner wrote: >> On Fri, Oct 28, 2016 at 06:10:53PM +0800, Xin Long wrote: >> > Prior to this patch, it used a local variable to save the transport that is >> > looked up by __sctp_lookup_association(), and didn't return it back. But in >> > sctp_rcv, it is used to initialize chunk->transport. So when hitting this >> > code, it was initializing chunk->transport with some random stack value >> > instead. here should be: So when hitting this, even if it found the transport, it was still initializing chunk->transport with null instead. >> > >> > This patch is to return the transport back through transport pointer >> > that is from __sctp_rcv_lookup_harder(). >> > >> > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> >> >> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> >> >> transport pointer in sctp_rcv() is initialized to null and there are >> checks for it after this path, so this shouldn't be exploitable, just >> malfunction. > > This actually sort of contradicts the changelog. > > Xin, did I miss something here? Seems we need to update the changelog if > not. > You're right, thanks, will repost. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
