linux/net/ax25
Cong Wang c433570458 ax25: fix a use-after-free in ax25_fillin_cb()
There are multiple issues here:

1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise
   we may use a dangling pointer.

2. There is a race between ax25_setsockopt() and device notifier as
   reported by syzbot. Close it by holding RTNL lock.

3. We need to test if dev->ax25_ptr is NULL before using it.

Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-12-30 14:07:54 -08:00
..
af_ax25.c ax25: fix a use-after-free in ax25_fillin_cb() 2018-12-30 14:07:54 -08:00
ax25_addr.c
ax25_dev.c ax25: fix a use-after-free in ax25_fillin_cb() 2018-12-30 14:07:54 -08:00
ax25_ds_in.c
ax25_ds_subr.c
ax25_ds_timer.c
ax25_iface.c
ax25_in.c
ax25_ip.c
ax25_out.c
ax25_route.c
ax25_std_in.c
ax25_std_subr.c
ax25_std_timer.c
ax25_subr.c
ax25_timer.c
ax25_uid.c
Kconfig
Makefile
sysctl_net_ax25.c
TODO