2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-03 11:13:56 +08:00
linux-next/drivers/net/ppp
Hannes Frederic Sowa 9a368aff9c pptp: fix illegal memory access caused by multiple bind()s
Several times already this has been reported as kasan reports caused by
syzkaller and trinity and people always looked at RCU races, but it is
much more simple. :)

In case we bind a pptp socket multiple times, we simply add it to
the callid_sock list but don't remove the old binding. Thus the old
socket stays in the bucket with unused call_id indexes and doesn't get
cleaned up. This causes various forms of kasan reports which were hard
to pinpoint.

Simply don't allow multiple binds and correct error handling in
pptp_bind. Also keep sk_state bits in place in pptp_connect.

Fixes: 00959ade36 ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Cc: Dmitry Kozlov <xeb@mail.ru>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dave Jones <davej@codemonkey.org.uk>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-01-24 22:18:26 -08:00
..
bsd_comp.c
Kconfig tty/serial patches for 3.9-rc1 2013-02-21 13:41:04 -08:00
Makefile
ppp_async.c tty: Fix recursive deadlock in tty_perform_flush() 2013-03-18 16:52:24 -07:00
ppp_deflate.c ppp: deflate: never return len larger than output buffer 2015-01-29 14:50:01 -08:00
ppp_generic.c ppp: declare ppp devices as enumerated interfaces 2015-12-14 16:20:57 -05:00
ppp_mppe.c ppp: mppe: discard late packet in stateless mode 2015-04-26 23:25:13 -04:00
ppp_mppe.h
ppp_synctty.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-05-01 14:08:52 -07:00
pppoe.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-12-17 22:08:28 -05:00
pppox.c pppox: use standard module auto-loading feature 2015-12-03 15:12:54 -05:00
pptp.c pptp: fix illegal memory access caused by multiple bind()s 2016-01-24 22:18:26 -08:00