Phonet: fix potential use-after-free in pep_sock_close()

sk_common_release() might destroy our last reference to the socket. So an extra temporary reference is needed during cleanup. Signed-off-by: N Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

Phonet: fix potential use-after-free in pep_sock_close()
sk_common_release() might destroy our last reference to the socket. So an extra temporary reference is needed during cleanup. Signed-off-by: N Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
e513480e · Rémi Denis-Courmont · David S. Miller · 7466a384 · e513480e
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/phonet/pep.c net/phonet/pep.c +2 -0

未找到文件。
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -626,6 +626,7 @@ static void pep_sock_close(struct sock *sk, long timeout)
 	struct pep_sock *pn = pep_sk(sk);
 	int ifindex = 0;

+	sock_hold(sk); /* keep a reference after sk_common_release() */
 	sk_common_release(sk);

 	lock_sock(sk);
@@ -644,6 +645,7 @@ static void pep_sock_close(struct sock *sk, long timeout)

 	if (ifindex)
 		gprs_detach(sk);
+	sock_put(sk);
 }

 static int pep_wait_connreq(struct sock *sk, int noblock)