pptp: fix illegal memory access caused by multiple bind()s - linux-dev - Linux kernel development work

diff options

author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2016-01-22 01:39:43 +0100
committer	David S. Miller <davem@davemloft.net>	2016-01-24 22:18:26 -0800
commit	9a368aff9cb370298fa02feeffa861f2db497c18 (patch)
tree	87d702049504d914d40c61d91c89bcd5dd1cebf8 /net
parent	drivers: net: xgene: fix extra IRQ issue (diff)
download	linux-dev-9a368aff9cb370298fa02feeffa861f2db497c18.tar.xz linux-dev-9a368aff9cb370298fa02feeffa861f2db497c18.zip

pptp: fix illegal memory access caused by multiple bind()s

Several times already this has been reported as kasan reports caused by syzkaller and trinity and people always looked at RCU races, but it is much more simple. :) In case we bind a pptp socket multiple times, we simply add it to the callid_sock list but don't remove the old binding. Thus the old socket stays in the bucket with unused call_id indexes and doesn't get cleaned up. This causes various forms of kasan reports which were hard to pinpoint. Simply don't allow multiple binds and correct error handling in pptp_bind. Also keep sk_state bits in place in pptp_connect. Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") Cc: Dmitry Kozlov <xeb@mail.ru> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Dmitry Vyukov <dvyukov@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dave Jones <davej@codemonkey.org.uk> Reported-by: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'net')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: