Bluetooth: ISO: Fix possible UAF on iso_conn_free

This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 5c68c0ea7d97493dee366c716e30e6ce70fe1d2e..d24c7a1ace92bba2ff1374e319a320aa06bb9378 100644 (file)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -761,6 +761,13 @@ static void iso_sock_kill(struct sock *sk)
 
        BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+       /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+       if (iso_pi(sk)->conn) {
+               iso_conn_lock(iso_pi(sk)->conn);
+               iso_pi(sk)->conn->sk = NULL;
+               iso_conn_unlock(iso_pi(sk)->conn);
+       }
+
        /* Kill poor orphan */
        bt_sock_unlink(&iso_sk_list, sk);
        sock_set_flag(sk, SOCK_DEAD);