Commit 771085d6 authored Aug 09, 2013 by Daniel Borkmann Committed by David S. Miller Aug 12, 2013

net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption



Probably this one is quite unlikely to be triggered, but it's more safe
to do the call_rcu() at the end after we have dropped the reference on
the asoc and freed sctp packet chunks. The reason why is because in
sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
we're unlucky enough we could run into corrupted pointers. Probably
that's more of theoretical nature, but it's safer to have this simple fix.

Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
for deferred call_rcu's"). I also did the 8c98653f regression test and
it's fine that way.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent ac4f9599

net/sctp/transport.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -181,12 +181,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
		return;
		}

		call_rcu(&transport->rcu, sctp_transport_destroy_rcu);

		sctp_packet_free(&transport->packet);

		if (transport->asoc)
		sctp_association_put(transport->asoc);

		call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
		}

		/* Start T3_rtx timer if it is not already running and update the heartbeat

Admin message