diff options
| author | Marcelo Ricardo Leitner <[email protected]> | 2016-01-08 11:00:54 -0200 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2016-01-11 17:13:01 -0500 |
| commit | 649621e3d54439ae232d726d7beef295d3887a68 (patch) | |
| tree | e8229276e251856aab325ce510d22cd51a35e3f0 /drivers/fpga/fpga-mgr.c | |
| parent | 366ce60315292a579b8ceae2777102e1954a2024 (diff) | |
sctp: fix use-after-free in pr_debug statement
Dmitry Vyukov reported a use-after-free in the code expanded by the
macro debug_post_sfx, which is caused by the use of the asoc pointer
after it was freed within sctp_side_effect() scope.
This patch fixes it by allowing sctp_side_effect to clear that asoc
pointer when the TCB is freed.
As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
because it will trigger DELETE_TCB too on that same loop.
Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
The macro is already prepared to handle such NULL pointer.
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Marcelo Ricardo Leitner <[email protected]>
Acked-by: Vlad Yasevich <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'drivers/fpga/fpga-mgr.c')
0 files changed, 0 insertions, 0 deletions