From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, vuln@secunia.com Subject: Re: [PATCH net] sctp: walk the list of asoc safely Date: Fri, 1 Feb 2019 12:20:37 -0200 [thread overview] Message-ID: <20190201142037.GC10521@localhost.localdomain> (raw) In-Reply-To: <20190201141522.GA20785@kroah.com> On Fri, Feb 01, 2019 at 03:15:22PM +0100, Greg Kroah-Hartman wrote: > In sctp_sendmesg(), when walking the list of endpoint associations, the > association can be dropped from the list, making the list corrupt. > Properly handle this by using list_for_each_entry_safe() > > Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") > Reported-by: Secunia Research <vuln@secunia.com> > Tested-by: Secunia Research <vuln@secunia.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index f93c3cf9e567..65d6d04546ae 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -2027,7 +2027,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) > struct sctp_endpoint *ep = sctp_sk(sk)->ep; > struct sctp_transport *transport = NULL; > struct sctp_sndrcvinfo _sinfo, *sinfo; > - struct sctp_association *asoc; > + struct sctp_association *asoc, *tmp; > struct sctp_cmsgs cmsgs; > union sctp_addr *daddr; > bool new = false; > @@ -2053,7 +2053,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) Extending the context here by 1 line: lock_sock(sk); > > /* SCTP_SENDALL process */ > if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { > - list_for_each_entry(asoc, &ep->asocs, asocs) { > + list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) { With the socket being locked by here, how can an asoc be removed while the list is being traversed? The socket lock should be protecting from it. > err = sctp_sendmsg_check_sflags(asoc, sflags, msg, > msg_len); > if (err == 0)
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, vuln@secunia.com Subject: Re: [PATCH net] sctp: walk the list of asoc safely Date: Fri, 01 Feb 2019 14:20:37 +0000 [thread overview] Message-ID: <20190201142037.GC10521@localhost.localdomain> (raw) In-Reply-To: <20190201141522.GA20785@kroah.com> On Fri, Feb 01, 2019 at 03:15:22PM +0100, Greg Kroah-Hartman wrote: > In sctp_sendmesg(), when walking the list of endpoint associations, the > association can be dropped from the list, making the list corrupt. > Properly handle this by using list_for_each_entry_safe() > > Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") > Reported-by: Secunia Research <vuln@secunia.com> > Tested-by: Secunia Research <vuln@secunia.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index f93c3cf9e567..65d6d04546ae 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -2027,7 +2027,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) > struct sctp_endpoint *ep = sctp_sk(sk)->ep; > struct sctp_transport *transport = NULL; > struct sctp_sndrcvinfo _sinfo, *sinfo; > - struct sctp_association *asoc; > + struct sctp_association *asoc, *tmp; > struct sctp_cmsgs cmsgs; > union sctp_addr *daddr; > bool new = false; > @@ -2053,7 +2053,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) Extending the context here by 1 line: lock_sock(sk); > > /* SCTP_SENDALL process */ > if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { > - list_for_each_entry(asoc, &ep->asocs, asocs) { > + list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) { With the socket being locked by here, how can an asoc be removed while the list is being traversed? The socket lock should be protecting from it. > err = sctp_sendmsg_check_sflags(asoc, sflags, msg, > msg_len); > if (err = 0)
next prev parent reply other threads:[~2019-02-01 14:20 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-02-01 14:15 [PATCH net] sctp: walk the list of asoc safely Greg Kroah-Hartman 2019-02-01 14:15 ` Greg Kroah-Hartman 2019-02-01 14:20 ` Marcelo Ricardo Leitner [this message] 2019-02-01 14:20 ` Marcelo Ricardo Leitner 2019-02-01 14:43 ` Greg Kroah-Hartman 2019-02-01 14:43 ` Greg Kroah-Hartman 2019-02-01 14:58 ` Marcelo Ricardo Leitner 2019-02-01 14:58 ` Marcelo Ricardo Leitner 2019-02-01 15:55 ` Neil Horman 2019-02-01 15:55 ` Neil Horman 2019-02-01 19:04 ` David Miller 2019-02-01 19:04 ` David Miller
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190201142037.GC10521@localhost.localdomain \ --to=marcelo.leitner@gmail.com \ --cc=gregkh@linuxfoundation.org \ --cc=linux-sctp@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=vuln@secunia.com \ --cc=vyasevich@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.