projects / profile / common / platform / kernel / linux-artik7.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: baaf0c6) | patch
net/dccp: fix use-after-free in dccp_invalid_packet
authorEric Dumazet <edumazet@google.com>
Mon, 28 Nov 2016 14:26:49 +0000 (06:26 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 10 Dec 2016 18:07:24 +0000 (19:07 +0100)
commit1a15519fdcdb0f908ad1a3785178f9e18a2ebedb
tree6b45149fcc6fb391d5dc8bfe2e75b732dc5b2ee1tree | snapshot
parentbaaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18dfcommit | diff
net/dccp: fix use-after-free in dccp_invalid_packet

[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]

pskb_may_pull() can reallocate skb->head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/dccp/ipv4.c diff | blob | history
Domain: System / Kernel;