original_kernel/net/dccp
Alexey Kodanev 67f93df79a dccp: check sk for closed state in dccp_sendmsg()
dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-07 13:38:56 -05:00
..
ccids dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state 2018-01-26 11:15:00 -05:00
Kconfig net: dccp: Remove dccpprobe module 2018-01-02 14:27:30 -05:00
Makefile net: dccp: Remove dccpprobe module 2018-01-02 14:27:30 -05:00
ackvec.c net: dccp: drop unneeded newline 2018-01-02 13:49:32 -05:00
ackvec.h
ccid.c
ccid.h
dccp.h
diag.c
feat.c
feat.h
input.c
ipv4.c
ipv6.c
ipv6.h
minisocks.c tcp/dccp: avoid one atomic operation for timewait hashdance 2017-12-13 14:33:10 -05:00
options.c
output.c
proto.c dccp: check sk for closed state in dccp_sendmsg() 2018-03-07 13:38:56 -05:00
qpolicy.c
sysctl.c
timer.c
trace.h net: dccp: Add DCCP sendmsg trace event 2018-01-02 14:27:30 -05:00