Skip to content

Commit 67f93df

Browse files
akodanevdavem330
authored andcommitted
dccp: check sk for closed state in dccp_sendmsg()
dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, therefore if DCCP socket is disconnected and dccp_sendmsg() is called after it, it will cause a NULL pointer dereference in dccp_write_xmit(). This crash and the reproducer was reported by syzbot. Looks like it is reproduced if commit 69c6486 ("dccp: CVE-2017-8824: use-after-free in DCCP code") is applied. Reported-by: [email protected] Signed-off-by: Alexey Kodanev <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 17cfe79 commit 67f93df

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

net/dccp/proto.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
794794
if (skb == NULL)
795795
goto out_release;
796796

797+
if (sk->sk_state == DCCP_CLOSED) {
798+
rc = -ENOTCONN;
799+
goto out_discard;
800+
}
801+
797802
skb_reserve(skb, sk->sk_prot->max_header);
798803
rc = memcpy_from_msg(skb_put(skb, len), msg, len);
799804
if (rc != 0)

0 commit comments

Comments
 (0)