[PATCH] IB: fix CM use-after-free

If the CM REQ handling function gets to error2, then it frees cm_id_priv->timewait_info. But the next line goes through ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(), which ends up calling cm_cleanup_timewait(), which dereferences the pointer we just freed. Make sure we clear cm_id_priv->timewait_info after freeing it, so that doesn't happen. Signed-off-by: Roland Dreier <rolandd@cisco.com>

[PATCH] IB: fix CM use-after-free
If the CM REQ handling function gets to error2, then it frees cm_id_priv->timewait_info. But the next line goes through ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(), which ends up calling cm_cleanup_timewait(), which dereferences the pointer we just freed. Make sure we clear cm_id_priv->timewait_info after freeing it, so that doesn't happen. Signed-off-by: Roland Dreier <rolandd@cisco.com>
1b205c2d · Roland Dreier · Roland Dreier · 354ba39c · 1b205c2d
Commit 1b205c2d authored Sep 09, 2005 by Roland Dreier Committed by Roland Dreier Sep 09, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

drivers/infiniband/core/cm.c drivers/infiniband/core/cm.c +1 -0

No files found.
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -1315,6 +1315,7 @@ error3:	atomic_dec(&cm_id_priv->refcount);
 	cm_deref_id(listen_cm_id_priv);
 	cm_cleanup_timewait(cm_id_priv->timewait_info);
 error2:	kfree(cm_id_priv->timewait_info);
+	cm_id_priv->timewait_info = NULL;
 error1:	ib_destroy_cm_id(&cm_id_priv->id);
 	return ret;
 }