sctp: fix use-after-free in pr_debug statement
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Fri, 8 Jan 2016 13:00:54 +0000 (11:00 -0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 11 Jan 2016 22:13:01 +0000 (17:13 -0500)
commit649621e3d54439ae232d726d7beef295d3887a68
treee8229276e251856aab325ce510d22cd51a35e3f0
parent366ce60315292a579b8ceae2777102e1954a2024
sctp: fix use-after-free in pr_debug statement

Dmitry Vyukov reported a use-after-free in the code expanded by the
macro debug_post_sfx, which is caused by the use of the asoc pointer
after it was freed within sctp_side_effect() scope.

This patch fixes it by allowing sctp_side_effect to clear that asoc
pointer when the TCB is freed.

As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
because it will trigger DELETE_TCB too on that same loop.

Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
above. Fix it by returning SCTP_DISPOSITION_ABORT instead.

The macro is already prepared to handle such NULL pointer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/sm_sideeffect.c
net/sctp/sm_statefuns.c