forked from luck/tmp_suning_uos_patched
93a2014afb
Gengming reported a UAF in lec_arp_clear_vccs(), where we add a vcc socket to an entry in a per-device list but free the socket without removing it from the list when vcc->dev is NULL. We need to call lec_vcc_close() to search and remove those entries contain the vcc being destroyed. This can be done by calling vcc->push(vcc, NULL) unconditionally in vcc_destroy_socket(). Another issue discovered by Gengming's reproducer is the vcc->dev may point to the static device lecatm_dev, for which we don't need to register/unregister device, so we can just check for vcc->dev->ops->owner. Reported-by: Gengming Liu <l.dmxcsnsbh@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| addr.c | ||
| addr.h | ||
| atm_misc.c | ||
| atm_sysfs.c | ||
| br2684.c | ||
| clip.c | ||
| common.c | ||
| common.h | ||
| ioctl.c | ||
| Kconfig | ||
| lec_arpc.h | ||
| lec.c | ||
| lec.h | ||
| Makefile | ||
| mpc.c | ||
| mpc.h | ||
| mpoa_caches.c | ||
| mpoa_caches.h | ||
| mpoa_proc.c | ||
| pppoatm.c | ||
| proc.c | ||
| protocols.h | ||
| pvc.c | ||
| raw.c | ||
| resources.c | ||
| resources.h | ||
| signaling.c | ||
| signaling.h | ||
| svc.c | ||