• Cong Wang's avatar
    atm: fix a UAF in lec_arp_clear_vccs() · 93a2014a
    Cong Wang authored
    Gengming reported a UAF in lec_arp_clear_vccs(),
    where we add a vcc socket to an entry in a per-device
    list but free the socket without removing it from the
    list when vcc->dev is NULL.
    
    We need to call lec_vcc_close() to search and remove
    those entries contain the vcc being destroyed. This can
    be done by calling vcc->push(vcc, NULL) unconditionally
    in vcc_destroy_socket().
    
    Another issue discovered by Gengming's reproducer is
    the vcc->dev may point to the static device lecatm_dev,
    for which we don't need to register/unregister device,
    so we can just check for vcc->dev->ops->owner.
    Reported-by: default avatarGengming Liu <l.dmxcsnsbh@gmail.com>
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    93a2014a
common.c 21.4 KB