diff options
| author | Thadeu Lima de Souza Cascardo <cascardo@canonical.com> | 2020-08-27 23:47:47 -0300 |
|---|---|---|
| committer | Thadeu Lima de Souza Cascardo <cascardo@canonical.com> | 2020-09-30 09:51:36 -0300 |
| commit | 01872cb896c76cedeabe93a08456976ab55ad695 (patch) | |
| tree | 0d66a42615718a8a842a5277eda738c58cb1b1ec | |
| parent | 24d019b8deb5863ff1cd8306c81202ebabdf652e (diff) | |
UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket
When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and
dccps_hc_tx_ccid are copied. When CCID features are activated on the child
socket, the CCID objects are freed, leaving the parent socket with dangling
pointers.
During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the
parent objects are not freed.
Reported-by: Hadar Manor
CVE-2020-16119
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com>
| -rw-r--r-- | net/dccp/minisocks.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c index 25187528c308..def85e50f1af 100644 --- a/net/dccp/minisocks.c +++ b/net/dccp/minisocks.c @@ -93,6 +93,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk, newdp->dccps_role = DCCP_ROLE_SERVER; newdp->dccps_hc_rx_ackvec = NULL; + newdp->dccps_hc_rx_ccid = NULL; + newdp->dccps_hc_tx_ccid = NULL; newdp->dccps_service_list = NULL; newdp->dccps_service = dreq->dreq_service; newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo; |
