linux/net/sctp
Xin Long 6910e25de2 sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg
In Commit 1f45f78f8e ("sctp: allow GSO frags to access the chunk too"),
it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later
in recvmsg. However, it also added sctp_chunk_put in fail_mark err path,
which is only triggered before holding the chunk.

syzbot reported a use-after-free crash happened on this err path, where
it shouldn't call sctp_chunk_put.

This patch simply removes this call.

Fixes: 1f45f78f8e ("sctp: allow GSO frags to access the chunk too")
Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-10 17:48:36 -04:00
..
Kconfig
Makefile
associola.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-07 23:39:10 -04:00
auth.c
bind_addr.c
chunk.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
debug.c
diag.c
endpointola.c
input.c
inqueue.c sctp: fix the issue that the cookie-ack with auth can't get processed 2018-05-02 11:15:33 -04:00
ipv6.c sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr 2018-04-27 13:21:50 -04:00
objcnt.c
offload.c
output.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
outqueue.c
primitive.c
proc.c
protocol.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
sm_make_chunk.c sctp: fix spelling mistake: "max_retans" -> "max_retrans" 2018-05-10 15:23:50 -04:00
sm_sideeffect.c
sm_statefuns.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-07 23:39:10 -04:00
sm_statetable.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-09 17:04:10 -07:00
stream.c sctp: clear the new asoc's stream outcnt in sctp_stream_update 2018-04-27 13:34:34 -04:00
stream_interleave.c
stream_sched.c
stream_sched_prio.c
stream_sched_rr.c
sysctl.c
transport.c
tsnmap.c
ulpevent.c sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg 2018-05-10 17:48:36 -04:00
ulpqueue.c