Skip to content

Commit

Permalink
Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"
Browse files Browse the repository at this point in the history 
This reverts commit 2677d20.

This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be
kept, allowing the socket to be reused as a listener socket, and the cloned
socket will free its dccps_hc_tx_ccid, leading to a later use after free,
when the listener socket is closed.

This addresses CVE-2020-16119.

Fixes: 2677d20 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect())
Reported-by: Hadar Manor
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  • Loading branch information
@anthraxx
Thadeu Lima de Souza Cascardo authored and anthraxx committed Jan 19, 2021
1 parent 26ecf62 commit 8cc1858
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/dccp/proto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags)

dccp_clear_xmit_timers(sk);
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
dp->dccps_hc_rx_ccid = NULL;
dp->dccps_hc_tx_ccid = NULL;

__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
Expand Down

0 comments on commit 8cc1858

Please sign in to comment.