Re: [tipc-discussion] [net] tipc: fix use-after-free in tipc_disc_rcv()
On 12/9/19 6:11 PM, Tuong Lien wrote:
> In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
> to read the header data field but after the message skb has been freed,
> that might result in a garbage value...
>
> This commit fixes it by defining a new local variable to store the data
> first, just like the other header fields' handling.
>
> Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
> Signed-off-by: Tuong Lien
Acked-by: Ying Xue
> ---
> net/tipc/discover.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/tipc/discover.c b/net/tipc/discover.c
> index b043e8c6397a..bfe43da127c0 100644
> --- a/net/tipc/discover.c
> +++ b/net/tipc/discover.c
> @@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
> {
> struct tipc_net *tn = tipc_net(net);
> struct tipc_msg *hdr = buf_msg(skb);
> + u32 pnet_hash = msg_peer_net_hash(hdr);
> u16 caps = msg_node_capabilities(hdr);
> bool legacy = tn->legacy_addr_format;
> u32 sugg = msg_sugg_node_addr(hdr);
> @@ -242,9 +243,8 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
> return;
> if (!tipc_in_scope(legacy, b->domain, src))
> return;
> - tipc_node_check_dest(net, src, peer_id, b, caps, signature,
> - msg_peer_net_hash(hdr), , ,
> - _addr);
> + tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
> + , , _addr);
> if (dupl_addr)
> disc_dupl_alert(b, src, );
> if (!respond)
>
___
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion
Re: [tipc-discussion] [net] tipc: fix use-after-free in tipc_disc_rcv()
Acked-by: jon
> -Original Message-
> From: Tuong Lien
> Sent: 9-Dec-19 05:12
> To: tipc-discussion@lists.sourceforge.net; Jon Maloy
> ; ma...@donjonn.com;
> ying@windriver.com
> Subject: [net] tipc: fix use-after-free in tipc_disc_rcv()
>
> In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
> to read the header data field but after the message skb has been freed,
> that might result in a garbage value...
>
> This commit fixes it by defining a new local variable to store the data
> first, just like the other header fields' handling.
>
> Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
> Signed-off-by: Tuong Lien
> ---
> net/tipc/discover.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/tipc/discover.c b/net/tipc/discover.c
> index b043e8c6397a..bfe43da127c0 100644
> --- a/net/tipc/discover.c
> +++ b/net/tipc/discover.c
> @@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
> {
> struct tipc_net *tn = tipc_net(net);
> struct tipc_msg *hdr = buf_msg(skb);
> + u32 pnet_hash = msg_peer_net_hash(hdr);
> u16 caps = msg_node_capabilities(hdr);
> bool legacy = tn->legacy_addr_format;
> u32 sugg = msg_sugg_node_addr(hdr);
> @@ -242,9 +243,8 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
> return;
> if (!tipc_in_scope(legacy, b->domain, src))
> return;
> - tipc_node_check_dest(net, src, peer_id, b, caps, signature,
> - msg_peer_net_hash(hdr), , ,
> - _addr);
> + tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
> + , , _addr);
> if (dupl_addr)
> disc_dupl_alert(b, src, );
> if (!respond)
> --
> 2.13.7
___
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion
[tipc-discussion] [net] tipc: fix use-after-free in tipc_disc_rcv()
In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
to read the header data field but after the message skb has been freed,
that might result in a garbage value...
This commit fixes it by defining a new local variable to store the data
first, just like the other header fields' handling.
Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
Signed-off-by: Tuong Lien
---
net/tipc/discover.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index b043e8c6397a..bfe43da127c0 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
{
struct tipc_net *tn = tipc_net(net);
struct tipc_msg *hdr = buf_msg(skb);
+ u32 pnet_hash = msg_peer_net_hash(hdr);
u16 caps = msg_node_capabilities(hdr);
bool legacy = tn->legacy_addr_format;
u32 sugg = msg_sugg_node_addr(hdr);
@@ -242,9 +243,8 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
return;
if (!tipc_in_scope(legacy, b->domain, src))
return;
- tipc_node_check_dest(net, src, peer_id, b, caps, signature,
-msg_peer_net_hash(hdr), , ,
-_addr);
+ tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
+, , _addr);
if (dupl_addr)
disc_dupl_alert(b, src, );
if (!respond)
--
2.13.7
___
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion
