phonet: refcount leak in pep_sock_accep

mainline inclusion from mainline-v5.16-rc6 commit bcd0f933 category: bugfix bugzilla: NA CVE: CVE-2021-45095 -------------------------------- sock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not invoked in subsequent failure branches(pep_accept_conn() != 0). Signed-off-by: N Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

phonet: refcount leak in pep_sock_accep
mainline inclusion from mainline-v5.16-rc6 commit bcd0f933 category: bugfix bugzilla: NA CVE: CVE-2021-45095 -------------------------------- sock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not invoked in subsequent failure branches(pep_accept_conn() != 0). Signed-off-by: N Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
0a576e58 · Hangyu Hua · Yang Yingliang · ee3b7a69 · 0a576e58
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

net/phonet/pep.c net/phonet/pep.c +1 -0

未找到文件。
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -881,6 +881,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,

 	err = pep_accept_conn(newsk, skb);
 	if (err) {
+		__sock_put(sk);
 		sock_put(newsk);
 		newsk = NULL;
 		goto drop;