From: Alexey Kodanev <[email protected]>
Date: Tue, 6 Mar 2018 22:57:01 +0300
> dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
> therefore if DCCP socket is disconnected and dccp_sendmsg() is
> called after it, it will cause a NULL pointer dereference in
> dccp_write_xmit().
>
> This crash and the reproducer was reported by syzbot. Looks like
> it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
> use-after-free in DCCP code") is applied.
>
> Reported-by: [email protected]
> Signed-off-by: Alexey Kodanev <[email protected]>
Applied and queued up for -stable, thanks!
