]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1e6f154) | patch
net/dccp: fix use-after-free in dccp_invalid_packet
authorEric Dumazet <edumazet@google.com>
Mon, 28 Nov 2016 14:26:49 +0000 (06:26 -0800)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 16 Mar 2017 02:27:21 +0000 (02:27 +0000)
commit239ec383c58cefb4dfbe707c09fbe6463eeedb85
tree125d0fecb84f9ce7c288d3dbeb059d4467f155b7tree | snapshot
parent1e6f154d4c60f6bcf9b6fb7727c4c016380298e4commit | diff
net/dccp: fix use-after-free in dccp_invalid_packet

[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]

pskb_may_pull() can reallocate skb->head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
net/dccp/ipv4.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git