summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThadeu Lima de Souza Cascardo <cascardo@canonical.com>2020-08-27 23:47:47 -0300
committerThadeu Lima de Souza Cascardo <cascardo@canonical.com>2020-09-30 09:51:36 -0300
commit01872cb896c76cedeabe93a08456976ab55ad695 (patch)
tree0d66a42615718a8a842a5277eda738c58cb1b1ec
parent24d019b8deb5863ff1cd8306c81202ebabdf652e (diff)
UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket
When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and dccps_hc_tx_ccid are copied. When CCID features are activated on the child socket, the CCID objects are freed, leaving the parent socket with dangling pointers. During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the parent objects are not freed. Reported-by: Hadar Manor CVE-2020-16119 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com>
-rw-r--r--net/dccp/minisocks.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 25187528..def85e5 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -93,6 +93,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
newdp->dccps_role = DCCP_ROLE_SERVER;
newdp->dccps_hc_rx_ackvec = NULL;
+ newdp->dccps_hc_rx_ccid = NULL;
+ newdp->dccps_hc_tx_ccid = NULL;
newdp->dccps_service_list = NULL;
newdp->dccps_service = dreq->dreq_service;
newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;