kernel: fix reuse-after-free in DCCP (backport from 5edabca9d4cff7f1f…

…2b68f0bac55ef99d9798ba4) Note that this does not currently affect us, as DCCP support isn't enabled. This fix is applied in case DCCP was enabled at some point in the future.
zuozhehao · Feb 23, 2017 · cced648 · cced648
1 parent 9e665fc
commit cced648
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/release/src-rt-6.x.4708/linux/linux-2.6.36/net/dccp/input.c b/release/src-rt-6.x.4708/linux/linux-2.6.36/net/dccp/input.c
@@ -605,7 +605,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
 								    skb) < 0)
 				return 1;
-			goto discard;
+			consume_skb(skb);
+			return 0;
 		}
 		if (dh->dccph_type == DCCP_PKT_RESET)
 			goto discard;

diff --git a/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/net/dccp/input.c b/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/net/dccp/input.c
@@ -605,7 +605,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
 								    skb) < 0)
 				return 1;
-			goto discard;
+			consume_skb(skb);
+			return 0;
 		}
 		if (dh->dccph_type == DCCP_PKT_RESET)
 			goto discard;

diff --git a/release/src-rt-7.x.main/src/linux/linux-2.6.36/net/dccp/input.c b/release/src-rt-7.x.main/src/linux/linux-2.6.36/net/dccp/input.c
@@ -605,7 +605,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
 								    skb) < 0)
 				return 1;
-			goto discard;
+			consume_skb(skb);
+			return 0;
 		}
 		if (dh->dccph_type == DCCP_PKT_RESET)
 			goto discard;

diff --git a/release/src-rt/linux/linux-2.6/net/dccp/input.c b/release/src-rt/linux/linux-2.6/net/dccp/input.c
@@ -463,9 +463,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
 								    skb) < 0)
 				return 1;
-
-			/* FIXME: do congestion control initialization */
-			goto discard;
+			consume_skb(skb);
+			return 0;
 		}
 		if (dh->dccph_type == DCCP_PKT_RESET)
 			goto discard;