• Xin Long's avatar
    sctp: hold transport instead of assoc when lookup assoc in rx path · dae399d7
    Xin Long authored
    Prior to this patch, in rx path, before calling lock_sock, it needed to
    hold assoc when got it by __sctp_lookup_association, in case other place
    would free/put assoc.
    
    But in __sctp_lookup_association, it lookup and hold transport, then got
    assoc by transport->assoc, then hold assoc and put transport. It means
    it didn't hold transport, yet it was returned and later on directly
    assigned to chunk->transport.
    
    Without the protection of sock lock, the transport may be freed/put by
    other places, which would cause a use-after-free issue.
    
    This patch is to fix this issue by holding transport instead of assoc.
    As holding transport can make sure to access assoc is also safe, and
    actually it looks up assoc by searching transport rhashtable, to hold
    transport here makes more sense.
    
    Note that the function will be renamed later on on another patch.
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    dae399d7
input.c 33.1 KB