]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 85cc46d) | patch
net/dccp: fix use-after-free in dccp_invalid_packet
authorEric Dumazet <edumazet@google.com>
Mon, 28 Nov 2016 14:26:49 +0000 (06:26 -0800)
committerDavid S. Miller <davem@davemloft.net>
Wed, 30 Nov 2016 01:37:26 +0000 (20:37 -0500)
commitfcbdd36b0f706095b3adc8dc6a75eac35ebe00d2
tree21a521e1c65060e4ef3060e122915134c29aa931tree | snapshot
parent85cc46d45b7c591256581de95bd7d78cd8a9b0a7commit | diff
net/dccp: fix use-after-free in dccp_invalid_packet

pskb_may_pull() can reallocate skb->head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/dccp/ipv4.c diff | blob | history
Linux Kernel Source Tree.