From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932880AbbLVUe3 (ORCPT ); Tue, 22 Dec 2015 15:34:29 -0500 Received: from shards.monkeyblade.net ([149.20.54.216]:55067 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752145AbbLVUe0 (ORCPT ); Tue, 22 Dec 2015 15:34:26 -0500 Date: Tue, 22 Dec 2015 15:34:25 -0500 (EST) Message-Id: <20151222.153425.727988801786072877.davem@davemloft.net> To: vegard.nossum@oracle.com Cc: acme@kernel.org, edumazet@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] dccp: fix use-after-free after cloning struct dccp_sock From: David Miller In-Reply-To: <1450644807-852-1-git-send-email-vegard.nossum@oracle.com> References: <1450644807-852-1-git-send-email-vegard.nossum@oracle.com> X-Mailer: Mew version 6.6 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 22 Dec 2015 12:34:26 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vegard Nossum Date: Sun, 20 Dec 2015 21:53:27 +0100 > @@ -115,6 +115,10 @@ struct sock *dccp_create_openreq_child(const struct sock *sk, > newdp->dccps_isr = dreq->dreq_isr; > newdp->dccps_gsr = dreq->dreq_gsr; > > + newdp->dccps_hc_rx_ackvec = NULL; > + newdp->dccps_hc_rx_ccid = NULL; > + newdp->dccps_hc_tx_ccid = NULL; ->dccps_hc_rx_ackvec is set to NULL several lines above this, so you don't need to add that case here. WRT the ccid pointers, I don't think we can just NULL them out. If the parent socket has these CCID features enabled, we have to clone them into the child somehow.