fix CVE-2017-6074 DCCP double-free vulnerability
This commit is contained in:
Justin M. Forbes
parent
70963882b0
commit
2e0da32798
|
|
@ -0,0 +1,47 @@
|
|||
From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Thu, 16 Feb 2017 17:22:46 +0100
|
||||
Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
|
||||
|
||||
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
|
||||
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
|
||||
dccp_v6_conn_request successfully returns.
|
||||
|
||||
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
|
||||
is saved to ireq->pktopts and the ref count for skb is incremented in
|
||||
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
|
||||
in dccp_rcv_state_process.
|
||||
|
||||
Fix by calling consume_skb instead of doing goto discard and therefore
|
||||
calling __kfree_skb.
|
||||
|
||||
Similar fixes for TCP:
|
||||
|
||||
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
|
||||
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
|
||||
simply consumed
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/dccp/input.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/dccp/input.c b/net/dccp/input.c
|
||||
index ba34718..8fedc2d 100644
|
||||
--- a/net/dccp/input.c
|
||||
+++ b/net/dccp/input.c
|
||||
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
|
||||
if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
|
||||
skb) < 0)
|
||||
return 1;
|
||||
- goto discard;
|
||||
+ consume_skb(skb);
|
||||
+ return 0;
|
||||
}
|
||||
if (dh->dccph_type == DCCP_PKT_RESET)
|
||||
goto discard;
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
|
|
@ -646,6 +646,9 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
|
|||
#rhbz 1422969
|
||||
Patch862: rt2800-warning.patch
|
||||
|
||||
#CVE-2017-6074
|
||||
Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2175,6 +2178,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Feb 22 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2017-6074 DCCP double-free vulnerability
|
||||
|
||||
* Mon Feb 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.11-100
|
||||
- Linux v4.9.11
|
||||
- Fix rt2800 warning (rhbz 1422969)
|
||||
|
|
|
|||
Loading…
Reference in New Issue