mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 21:57:43 +00:00
dccp: don't duplicate ccid when cloning dccp sock
commitd9ea761fdd
upstream. Commit2677d20677
("dccp: don't free ccid2_hc_tx_sock ...") fixed a UAF but reintroduced CVE-2017-6074. When the sock is cloned, two dccps_hc_tx_ccid will reference to the same ccid. So one can free the ccid object twice from two socks after cloning. This issue was found by "Hadar Manor" as well and assigned with CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port the patch from Ubuntu to fix it. The patch prevents cloned socks from referencing the same ccid. Fixes:2677d20677
("dccp: don't free ccid2_hc_tx_sock ...") Signed-off-by: Zhenpeng Lin <zplin@psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
3d3aed0cc0
commit
a1bb3c064b
1 changed files with 2 additions and 0 deletions
|
@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
|
|||
newdp->dccps_role = DCCP_ROLE_SERVER;
|
||||
newdp->dccps_hc_rx_ackvec = NULL;
|
||||
newdp->dccps_service_list = NULL;
|
||||
newdp->dccps_hc_rx_ccid = NULL;
|
||||
newdp->dccps_hc_tx_ccid = NULL;
|
||||
newdp->dccps_service = dreq->dreq_service;
|
||||
newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
|
||||
newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
|
||||
|
|
Loading…
Reference in a new issue