Skip to content

Commit

Permalink
Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"
Browse files Browse the repository at this point in the history 
This reverts commit 2677d20.

This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be
kept, allowing the socket to be reused as a listener socket, and the cloned
socket will free its dccps_hc_tx_ccid, leading to a later use after free,
when the listener socket is closed.

This addresses CVE-2020-16119.

Fixes: 2677d20 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect())
Reported-by: Hadar Manor
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
  • Loading branch information
@anthraxx
Thadeu Lima de Souza Cascardo authored and anthraxx committed Dec 22, 2020
1 parent a7d8899 commit 63e1d99
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/dccp/proto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags)

dccp_clear_xmit_timers(sk);
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
dp->dccps_hc_rx_ccid = NULL;
dp->dccps_hc_tx_ccid = NULL;

__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
Expand Down

0 comments on commit 63e1d99

Please sign in to comment.