linux/net/rxrpc
David Howells 122d74fac8 rxrpc: Fix use-after-free in rxrpc_receive_data()
The subpacket scanning loop in rxrpc_receive_data() references the
subpacket count in the private data part of the sk_buff in the loop
termination condition.  However, when the final subpacket is pasted into
the ring buffer, the function is no longer has a ref on the sk_buff and
should not be looking at sp->* any more.  This point is actually marked in
the code when skb is cleared (but sp is not - which is an error).

Fix this by caching sp->nr_subpackets in a local variable and using that
instead.

Also clear 'sp' to catch accesses after that point.

This can show up as an oops in rxrpc_get_skb() if sp->nr_subpackets gets
trashed by the sk_buff getting freed and reused in the meantime.

Fixes: e2de6c4048 ("rxrpc: Use info in skbuff instead of reparsing a jumbo packet")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-27 10:56:30 +01:00
..
af_rxrpc.c treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
ar-internal.h rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
call_accept.c rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
call_event.c rxrpc: Use the tx-phase skb flag to simplify tracing 2019-08-27 10:04:18 +01:00
call_object.c rxrpc: Fix call crypto state cleanup 2019-10-07 11:05:05 +01:00
conn_client.c rxrpc: Fix call crypto state cleanup 2019-10-07 11:05:05 +01:00
conn_event.c rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
conn_object.c rxrpc: Fix trace-after-put looking at the put connection record 2019-10-07 11:05:05 +01:00
conn_service.c rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
input.c rxrpc: Fix use-after-free in rxrpc_receive_data() 2020-01-27 10:56:30 +01:00
insecure.c rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto 2019-07-30 10:32:35 -07:00
Kconfig crypto: skcipher - rename the crypto_blkcipher module and kconfig option 2019-11-01 13:42:47 +08:00
key.c Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs" 2019-07-10 18:43:43 -07:00
local_event.c rxrpc: Use the tx-phase skb flag to simplify tracing 2019-08-27 10:04:18 +01:00
local_object.c rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2] 2019-08-30 15:06:52 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
misc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
net_ns.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
output.c rxrpc: Use the tx-phase skb flag to simplify tracing 2019-08-27 10:04:18 +01:00
peer_event.c rxrpc: use rcu protection while reading sk->sk_user_data 2019-10-16 12:20:17 -07:00
peer_object.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-10-20 10:43:00 -07:00
proc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
protocol.h rxrpc: Improve jumbo packet counting 2019-08-27 09:48:37 +01:00
recvmsg.c rxrpc: Fix handling of last subpacket of jumbo packet 2019-10-31 12:23:09 -07:00
rxkad.c rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
security.c rxrpc: Fix missing security check on incoming calls 2019-12-20 16:21:32 +00:00
sendmsg.c rxrpc: Fix call crypto state cleanup 2019-10-07 11:05:05 +01:00
skbuff.c rxrpc: Use skb_unshare() rather than skb_cow_data() 2019-08-27 10:13:46 +01:00
sysctl.c proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00