| Message ID | 1307962685-3309-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Mon, 2011-06-13 at 11:58 +0100, Andy Whitcroft wrote: > From: Dave Jones <davej@redhat.com> > > We can get here with a NULL socket argument passed from userspace, > so we need to handle it accordingly. > > Signed-off-by: Dave Jones <davej@redhat.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit c6914a6f261aca0c9f715f883a353ae7ff51fe83) > CVE-2011-1598 > BugLink: http://bugs.launchpad.net/bugs/796502 > Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > net/can/bcm.c | 7 ++++++- > 1 files changed, 6 insertions(+), 1 deletions(-) > > diff --git a/net/can/bcm.c b/net/can/bcm.c > index 9d5e8ac..56d20a2 100644 > --- a/net/can/bcm.c > +++ b/net/can/bcm.c > @@ -1424,9 +1424,14 @@ static int bcm_init(struct sock *sk) > static int bcm_release(struct socket *sock) > { > struct sock *sk = sock->sk; > - struct bcm_sock *bo = bcm_sk(sk); > + struct bcm_sock *bo; > struct bcm_op *op, *next; > > + if (sk == NULL) > + return 0; > + > + bo = bcm_sk(sk); > + > /* remove bcm_ops, timer, rx_unregister(), etc. */ > > unregister_netdevice_notifier(&bo->notifier); > -- > 1.7.4.1 > >
On 13.06.2011 12:58, Andy Whitcroft wrote: > From: Dave Jones <davej@redhat.com> > > We can get here with a NULL socket argument passed from userspace, > so we need to handle it accordingly. > > Signed-off-by: Dave Jones <davej@redhat.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > (cherry picked from commit c6914a6f261aca0c9f715f883a353ae7ff51fe83) > CVE-2011-1598 > BugLink: http://bugs.launchpad.net/bugs/796502 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/can/bcm.c | 7 ++++++- > 1 files changed, 6 insertions(+), 1 deletions(-) > > diff --git a/net/can/bcm.c b/net/can/bcm.c > index 9d5e8ac..56d20a2 100644 > --- a/net/can/bcm.c > +++ b/net/can/bcm.c > @@ -1424,9 +1424,14 @@ static int bcm_init(struct sock *sk) > static int bcm_release(struct socket *sock) > { > struct sock *sk = sock->sk; > - struct bcm_sock *bo = bcm_sk(sk); > + struct bcm_sock *bo; > struct bcm_op *op, *next; > > + if (sk == NULL) > + return 0; > + > + bo = bcm_sk(sk); > + > /* remove bcm_ops, timer, rx_unregister(), etc. */ > > unregister_netdevice_notifier(&bo->notifier); Acked-by: Stefan Bader <stefan.bader@canonical.com>
diff --git a/net/can/bcm.c b/net/can/bcm.c index 9d5e8ac..56d20a2 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -1424,9 +1424,14 @@ static int bcm_init(struct sock *sk) static int bcm_release(struct socket *sock) { struct sock *sk = sock->sk; - struct bcm_sock *bo = bcm_sk(sk); + struct bcm_sock *bo; struct bcm_op *op, *next; + if (sk == NULL) + return 0; + + bo = bcm_sk(sk); + /* remove bcm_ops, timer, rx_unregister(), etc. */ unregister_netdevice_notifier(&bo->notifier);