Searched hist:"93 a2014afbace907178afc3c9c1e62c9a338595a" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/net/atm/ |
| H A D | common.c | diff 93a2014afbace907178afc3c9c1e62c9a338595a Fri May 01 13:11:08 CDT 2020 Cong Wang <xiyou.wangcong@gmail.com> atm: fix a UAF in lec_arp_clear_vccs()
Gengming reported a UAF in lec_arp_clear_vccs(),
where we add a vcc socket to an entry in a per-device
list but free the socket without removing it from the
list when vcc->dev is NULL.
We need to call lec_vcc_close() to search and remove
those entries contain the vcc being destroyed. This can
be done by calling vcc->push(vcc, NULL) unconditionally
in vcc_destroy_socket().
Another issue discovered by Gengming's reproducer is
the vcc->dev may point to the static device lecatm_dev,
for which we don't need to register/unregister device,
so we can just check for vcc->dev->ops->owner.
Reported-by: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|