Message ID | 19037.40189.520170.8242@ipc1.ka-ro |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Lothar Waßmann <LW@KARO-electronics.de> Date: Wed, 15 Jul 2009 11:10:21 +0200 > Fix a use after free bug in can protocol drivers > > The release functions of the can protocol drivers lack a call to > sock_orphan() which leads to referencing freed memory under certain > circumstances. > > This patch fixes a bug reported here: > https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html > > Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> > Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -upr linux-2.6.30/net/can/bcm.c linux-2.6.30-karo/net/can/bcm.c --- linux-2.6.30/net/can/bcm.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/bcm.c 2009-07-14 14:13:01.000000000 +0200 @@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *so bo->ifindex = 0; } + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk); diff -upr linux-2.6.30/net/can/raw.c linux-2.6.30-karo/net/can/raw.c --- linux-2.6.30/net/can/raw.c 2009-06-10 05:05:27.000000000 +0200 +++ linux-2.6.30-karo/net/can/raw.c 2009-07-14 14:13:07.000000000 +0200 @@ -306,6 +306,9 @@ static int raw_release(struct socket *so ro->bound = 0; ro->count = 0; + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk);