linux/net/sctp
Marcelo Ricardo Leitner 79d0895140 sctp: fix error path in sctp_stream_init
syzbot noticed a NULL pointer dereference panic in sctp_stream_free()
which was caused by an incomplete error handling in sctp_stream_init().
By not clearing stream->outcnt, it made a for() in sctp_stream_free()
think that it had elements to free, but not, leading to the panic.

As suggested by Xin Long, this patch also simplifies the error path by
moving it to the only if() that uses it.

See-also: https://www.spinics.net/lists/netdev/msg473756.html
See-also: https://www.spinics.net/lists/netdev/msg465024.html
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: f952be79ce ("sctp: introduce struct sctp_stream_out_ext")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-03 11:29:42 -05:00
..
associola.c net: sctp: Convert timers to use timer_setup() 2017-10-25 12:02:09 +09:00
auth.c sctp: remove the typedef sctp_hmac_algo_param_t 2017-07-16 20:52:14 -07:00
bind_addr.c sctp: remove the typedef sctp_scope_t 2017-08-06 21:33:41 -07:00
chunk.c sctp: do not abandon the other frags in unsent outq if one msg has outstanding frags 2017-12-01 15:06:24 -05:00
debug.c sctp: add SCTP_CID_RECONF conversion in sctp_cname 2017-12-18 13:21:46 -05:00
endpointola.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
input.c sctp: fix some type cast warnings introduced by transport rhashtable 2017-10-29 18:03:24 +09:00
inqueue.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
ipv6.c net/sctp: Always set scope_id in sctp_inet6_skb_msgname 2017-11-16 23:00:30 +09:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
objcnt.c sctp: remove the typedef sctp_dbg_objcnt_entry_t 2017-08-11 10:02:43 -07:00
offload.c net: use skb->csum_not_inet to identify packets needing crc32c 2017-05-19 19:21:29 -04:00
output.c sctp: remove the typedef sctp_xmit_t 2017-08-06 21:33:42 -07:00
outqueue.c sctp: do not abandon the other frags in unsent outq if one msg has outstanding frags 2017-12-01 15:06:24 -05:00
primitive.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
probe.c sctp: remove the typedef sctp_disposition_t 2017-08-11 10:02:44 -07:00
proc.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
protocol.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
sctp_diag.c sctp: Fix a big endian bug in sctp_diag_dump() 2017-09-26 21:16:29 -07:00
sm_make_chunk.c sctp: check stream reset info len before making reconf chunk 2017-11-16 10:49:00 +09:00
sm_sideeffect.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-10-30 21:09:24 +09:00
sm_statefuns.c sctp: remove the typedef sctp_disposition_t 2017-08-11 10:02:44 -07:00
sm_statetable.c sctp: remove the typedef sctp_sm_table_entry_t 2017-08-11 10:02:44 -07:00
socket.c sctp: Replace use of sockets_allocated with specified macro. 2017-12-27 13:47:52 -05:00
stream_sched_prio.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
stream_sched_rr.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
stream_sched.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
stream.c sctp: fix error path in sctp_stream_init 2018-01-03 11:29:42 -05:00
sysctl.c sctp: remove the typedef sctp_scope_policy_t 2017-08-06 21:33:41 -07:00
transport.c net: sctp: Convert timers to use timer_setup() 2017-10-25 12:02:09 +09:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: fix some type cast warnings introduced by stream reconf 2017-10-29 18:03:24 +09:00
ulpqueue.c sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege 2017-12-18 13:21:46 -05:00