Commit 7c236130 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman

sctp: walk the list of asoc safely

[ Upstream commit ba59fb02 ]

In sctp_sendmesg(), when walking the list of endpoint associations, the
association can be dropped from the list, making the list corrupt.
Properly handle this by using list_for_each_entry_safe()

Fixes: 49102805 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
Reported-by: default avatarSecunia Research <vuln@secunia.com>
Tested-by: default avatarSecunia Research <vuln@secunia.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7cd4e833
...@@ -2045,7 +2045,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) ...@@ -2045,7 +2045,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
struct sctp_endpoint *ep = sctp_sk(sk)->ep; struct sctp_endpoint *ep = sctp_sk(sk)->ep;
struct sctp_transport *transport = NULL; struct sctp_transport *transport = NULL;
struct sctp_sndrcvinfo _sinfo, *sinfo; struct sctp_sndrcvinfo _sinfo, *sinfo;
struct sctp_association *asoc; struct sctp_association *asoc, *tmp;
struct sctp_cmsgs cmsgs; struct sctp_cmsgs cmsgs;
union sctp_addr *daddr; union sctp_addr *daddr;
bool new = false; bool new = false;
...@@ -2071,7 +2071,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) ...@@ -2071,7 +2071,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
/* SCTP_SENDALL process */ /* SCTP_SENDALL process */
if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) {
list_for_each_entry(asoc, &ep->asocs, asocs) { list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) {
err = sctp_sendmsg_check_sflags(asoc, sflags, msg, err = sctp_sendmsg_check_sflags(asoc, sflags, msg,
msg_len); msg_len);
if (err == 0) if (err == 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment