David Howells b576b27f7b rxrpc: Fix use-after-free in rxrpc_receive_data() ... [ Upstream commit 122d74fac8 ] The subpacket scanning loop in rxrpc_receive_data() references the subpacket count in the private data part of the sk_buff in the loop termination condition. However, when the final subpacket is pasted into the ring buffer, the function is no longer has a ref on the sk_buff and should not be looking at sp->* any more. This point is actually marked in the code when skb is cleared (but sp is not - which is an error). Fix this by caching sp->nr_subpackets in a local variable and using that instead. Also clear 'sp' to catch accesses after that point. This can show up as an oops in rxrpc_get_skb() if sp->nr_subpackets gets trashed by the sk_buff getting freed and reused in the meantime. Fixes: e2de6c4048 ("rxrpc: Use info in skbuff instead of reparsing a jumbo packet") Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-02-01 09:34:40 +00:00
..
af_rxrpc.c	rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]	2019-08-30 15:06:52 -07:00
ar-internal.h	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
call_accept.c	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
call_event.c	rxrpc: Use the tx-phase skb flag to simplify tracing	2019-08-27 10:04:18 +01:00
call_object.c	rxrpc: Fix call crypto state cleanup	2019-10-07 11:05:05 +01:00
conn_client.c	rxrpc: Fix call crypto state cleanup	2019-10-07 11:05:05 +01:00
conn_event.c	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
conn_object.c	rxrpc: Fix trace-after-put looking at the put connection record	2019-10-07 11:05:05 +01:00
conn_service.c	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
input.c	rxrpc: Fix use-after-free in rxrpc_receive_data()	2020-02-01 09:34:40 +00:00
insecure.c	rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto	2019-07-30 10:32:35 -07:00
Kconfig	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
key.c	Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"	2019-07-10 18:43:43 -07:00
local_event.c	rxrpc: Use the tx-phase skb flag to simplify tracing	2019-08-27 10:04:18 +01:00
local_object.c	rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]	2019-08-30 15:06:52 -07:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
misc.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36	2019-05-24 17:27:11 +02:00
net_ns.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36	2019-05-24 17:27:11 +02:00
output.c	rxrpc: Use the tx-phase skb flag to simplify tracing	2019-08-27 10:04:18 +01:00
peer_event.c	rxrpc: use rcu protection while reading sk->sk_user_data	2019-10-16 12:20:17 -07:00
peer_object.c	rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record	2019-10-07 11:05:05 +01:00
proc.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152	2019-05-30 11:26:32 -07:00
protocol.h	rxrpc: Improve jumbo packet counting	2019-08-27 09:48:37 +01:00
recvmsg.c	rxrpc: Fix handling of last subpacket of jumbo packet	2019-10-31 12:23:09 -07:00
rxkad.c	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
security.c	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
sendmsg.c	rxrpc: Fix call crypto state cleanup	2019-10-07 11:05:05 +01:00
skbuff.c	rxrpc: Use skb_unshare() rather than skb_cow_data()	2019-08-27 10:13:46 +01:00
sysctl.c	proc/sysctl: add shared variables for range check	2019-07-18 17:08:07 -07:00
utils.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36	2019-05-24 17:27:11 +02:00