From: Alexey Kodanev <alexey.koda...@oracle.com> Date: Tue, 6 Mar 2018 22:57:01 +0300
> dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, > therefore if DCCP socket is disconnected and dccp_sendmsg() is > called after it, it will cause a NULL pointer dereference in > dccp_write_xmit(). > > This crash and the reproducer was reported by syzbot. Looks like > it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824: > use-after-free in DCCP code") is applied. > > Reported-by: syzbot+f99ab3887ab65d70f...@syzkaller.appspotmail.com > Signed-off-by: Alexey Kodanev <alexey.koda...@oracle.com> Applied and queued up for -stable, thanks!