On Thu, May 10, 2018 at 05:34:13PM +0800, Xin Long wrote:
> In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"),
> it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later
> in recvmsg. However, it also added sctp_chunk_put in fail_mark err path,
> which is only triggered before holding the chunk.
>
> syzbot reported a use-after-free crash happened on this err path, where
> it shouldn't call sctp_chunk_put.
>
> This patch simply removes this call.
>
> Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too")
> Reported-by: [email protected]
> Signed-off-by: Xin Long <[email protected]>Acked-by: Marcelo Ricardo Leitner <[email protected]> > --- > net/sctp/ulpevent.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c > index 84207ad..8cb7d98 100644 > --- a/net/sctp/ulpevent.c > +++ b/net/sctp/ulpevent.c > @@ -715,7 +715,6 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct > sctp_association *asoc, > return event; > > fail_mark: > - sctp_chunk_put(chunk); > kfree_skb(skb); > fail: > return NULL; > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html >
