• David Howells's avatar
    rxrpc: Fix use-after-free in rxrpc_receive_data() · 122d74fa
    David Howells authored
    The subpacket scanning loop in rxrpc_receive_data() references the
    subpacket count in the private data part of the sk_buff in the loop
    termination condition.  However, when the final subpacket is pasted into
    the ring buffer, the function is no longer has a ref on the sk_buff and
    should not be looking at sp->* any more.  This point is actually marked in
    the code when skb is cleared (but sp is not - which is an error).
    
    Fix this by caching sp->nr_subpackets in a local variable and using that
    instead.
    
    Also clear 'sp' to catch accesses after that point.
    
    This can show up as an oops in rxrpc_get_skb() if sp->nr_subpackets gets
    trashed by the sk_buff getting freed and reused in the meantime.
    
    Fixes: e2de6c40 ("rxrpc: Use info in skbuff instead of reparsing a jumbo packet")
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    122d74fa
input.c 36.6 KB