diff options
| author | Florian Westphal <[email protected]> | 2020-02-06 00:39:37 +0100 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2020-02-06 11:25:09 +0100 |
| commit | b0519de8b3f1caf10632aca55def999ec2d2f1bc (patch) | |
| tree | b95ccc010e7691b0715d76e2b9f74e4489876894 /tools/perf/scripts/python/exported-sql-viewer.py | |
| parent | 0202d293c2faecba791ba4afc5aec086249c393d (diff) | |
mptcp: fix use-after-free for ipv6
Turns out that when we accept a new subflow, the newly created
inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the
listener socket.
This wasn't caught by the selftest because it closes the accepted fd
before the listening one.
adding a close(listenfd) after accept returns is enough:
BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790
Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518
Call Trace:
inet6_getname+0x6ba/0x790
__sys_getpeername+0x10b/0x250
__x64_sys_getpeername+0x6f/0xb0
also alter test program to exercise this.
Reported-by: Christoph Paasch <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/exported-sql-viewer.py')
0 files changed, 0 insertions, 0 deletions