Menu
▾
▴
Re: [tipc-discussion] [net-next v1 1/2] tipc: fix use-after-free in tipc_sk_filter_rcv
|
From: David M. <da...@da...> - 2019-03-21 16:57:24
|
From: Hoang Le <hoa...@de...>
Date: Thu, 21 Mar 2019 17:25:17 +0700
> skb free-ed in:
> 1/ condition 1: tipc_sk_filter_rcv -> tipc_sk_proto_rcv
> 2/ condition 2: tipc_sk_filter_rcv -> tipc_group_filter_msg
> This leads to a "use-after-free" access in the next condition.
>
> We fix this by intializing the variable at declaration, then it is safe
> to check this variable to continue processing if condition matches.
>
> syzbot report:
...
> Reported-by: syz...@sy...
> Fixes: c55c8eda ("tipc: smooth change between replicast and broadcast")
> Acked-by: Jon Maloy <jon...@er...>
> Signed-off-by: Hoang Le <hoa...@de...>
Applied.
|
