• Daniel Borkmann's avatar
    net: llc: fix use after free in llc_ui_recvmsg · 4d231b76
    Daniel Borkmann authored
    While commit 30a584d9 fixes datagram interface in LLC, a use
    after free bug has been introduced for SOCK_STREAM sockets that do
    not make use of MSG_PEEK.
    The flow is as follow ...
      if (!(flags & MSG_PEEK)) {
        sk_eat_skb(sk, skb, false);
      if (used + offset < skb->len)
    ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
    original length and work on skb_len to check partial reads.
    Fixes: 30a584d9 ("[LLX]: SOCK_DGRAM interface fixes")
    Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
af_llc.c 31.1 KB