git.openpandora.org / pandora-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 03aeee0) | patch
net/dccp: fix use-after-free in dccp_invalid_packet
authorEric Dumazet <edumazet@google.com>
Mon, 28 Nov 2016 14:26:49 +0000 (06:26 -0800)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 16 Mar 2017 02:18:55 +0000 (02:18 +0000)
commit00b9bf63242488f79f4085e63a6fa9d5bc6fcd79
tree3dc904d659669b09253a544b5008feec332a90edtree | snapshot
parent03aeee0d1fc7fc4984b36acd3ac57b70c4a03e65commit | diff
net/dccp: fix use-after-free in dccp_invalid_packet

[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]

pskb_may_pull() can reallocate skb->head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
net/dccp/ipv4.c diff | blob | history
Pandora Kernel Repository