• D
    net: llc: fix use after free in llc_ui_recvmsg · 4d231b76
    Daniel Borkmann 提交于
    While commit 30a584d9 fixes datagram interface in LLC, a use
    after free bug has been introduced for SOCK_STREAM sockets that do
    not make use of MSG_PEEK.
    
    The flow is as follow ...
    
      if (!(flags & MSG_PEEK)) {
        ...
        sk_eat_skb(sk, skb, false);
        ...
      }
      ...
      if (used + offset < skb->len)
        continue;
    
    ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
    original length and work on skb_len to check partial reads.
    
    Fixes: 30a584d9 ("[LLX]: SOCK_DGRAM interface fixes")
    Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    4d231b76
af_llc.c 31.1 KB