[net,4/4] tipc: fix use-after-free in tipc_disc_rcv()

Message ID	20191210082105.23905-5-tuong.t.lien@dektech.com.au
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Tuong Lien <tuong.t.lien@dektech.com.au> To: davem@davemloft.net, jon.maloy@ericsson.com, maloy@donjonn.com, ying.xue@windriver.com, netdev@vger.kernel.org Cc: tipc-discussion@lists.sourceforge.net Subject: [net 4/4] tipc: fix use-after-free in tipc_disc_rcv() Date: Tue, 10 Dec 2019 15:21:05 +0700 Message-Id: <20191210082105.23905-5-tuong.t.lien@dektech.com.au> In-Reply-To: <20191210082105.23905-1-tuong.t.lien@dektech.com.au> References: <20191210082105.23905-1-tuong.t.lien@dektech.com.au> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	tipc: fix some issues \| expand [net,0/4] tipc: fix some issues [net,1/4] tipc: fix name table rbtree issues [net,2/4] tipc: fix potential hanging after b/rcast changing [net,3/4] tipc: fix retrans failure due to wrong destination [net,4/4] tipc: fix use-after-free in tipc_disc_rcv()

Message ID

20191210082105.23905-5-tuong.t.lien@dektech.com.au

State

Accepted

Delegated to:

David Miller

Headers

From: Tuong Lien <tuong.t.lien@dektech.com.au>
To: davem@davemloft.net, jon.maloy@ericsson.com, maloy@donjonn.com,
	ying.xue@windriver.com, netdev@vger.kernel.org
Cc: tipc-discussion@lists.sourceforge.net
Subject: [net 4/4] tipc: fix use-after-free in tipc_disc_rcv()
Date: Tue, 10 Dec 2019 15:21:05 +0700
Message-Id: <20191210082105.23905-5-tuong.t.lien@dektech.com.au>
In-Reply-To: <20191210082105.23905-1-tuong.t.lien@dektech.com.au>
References: <20191210082105.23905-1-tuong.t.lien@dektech.com.au>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

tipc: fix some issues | expand

Commit Message

Tuong Lien Dec. 10, 2019, 8:21 a.m. UTC

In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
to read the header data field but after the message skb has been freed,
that might result in a garbage value...

This commit fixes it by defining a new local variable to store the data
first, just like the other header fields' handling.

Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
---
 net/tipc/discover.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index b043e8c6397a..bfe43da127c0 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -194,6 +194,7 @@  void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
 {
 	struct tipc_net *tn = tipc_net(net);
 	struct tipc_msg *hdr = buf_msg(skb);
+	u32 pnet_hash = msg_peer_net_hash(hdr);
 	u16 caps = msg_node_capabilities(hdr);
 	bool legacy = tn->legacy_addr_format;
 	u32 sugg = msg_sugg_node_addr(hdr);
@@ -242,9 +243,8 @@  void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
 		return;
 	if (!tipc_in_scope(legacy, b->domain, src))
 		return;
-	tipc_node_check_dest(net, src, peer_id, b, caps, signature,
-			     msg_peer_net_hash(hdr), &maddr, &respond,
-			     &dupl_addr);
+	tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
+			     &maddr, &respond, &dupl_addr);
 	if (dupl_addr)
 		disc_dupl_alert(b, src, &maddr);
 	if (!respond)

[net,4/4] tipc: fix use-after-free in tipc_disc_rcv()

Commit Message

Patch