sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
This commit is contained in:
parent
9e381d5c13
commit
58fbff3df5
|
@ -198,6 +198,7 @@ linux (4.9.9-1) UNRELEASED; urgency=medium
|
|||
* IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636)
|
||||
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
|
||||
* ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
|
||||
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 27 Jan 2017 18:14:31 +0000
|
||||
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Date: Mon, 6 Feb 2017 18:10:31 -0200
|
||||
Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
|
||||
Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
|
||||
|
||||
Alexander Popov reported that an application may trigger a BUG_ON in
|
||||
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
|
||||
waiting on it to queue more data and meanwhile another thread peels off
|
||||
the association being used by the first thread.
|
||||
|
||||
This patch replaces the BUG_ON call with a proper error handling. It
|
||||
will return -EPIPE to the original sendmsg call, similarly to what would
|
||||
have been done if the association wasn't found in the first place.
|
||||
|
||||
Acked-by: Alexander Popov <alex.popov@linux.com>
|
||||
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Reviewed-by: Xin Long <lucien.xin@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index 37eeab7..e214d2e 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
|
||||
*/
|
||||
release_sock(sk);
|
||||
current_timeo = schedule_timeout(current_timeo);
|
||||
- BUG_ON(sk != asoc->base.sk);
|
||||
+ if (sk != asoc->base.sk)
|
||||
+ goto do_error;
|
||||
lock_sock(sk);
|
||||
|
||||
*timeo_p = current_timeo;
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -107,6 +107,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch
|
||||
bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
|
||||
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
||||
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue