Re: [PATCH] dccp: fix use-after-free after cloning struct dccp_sock

From: Vegard Nossum Date: Sun, 20 Dec 2015 21:53:27 +0100 > @@ -115,6 +115,10 @@ struct sock *dccp_create_openreq_child(const struct sock > *sk, > newdp->dccps_isr = dreq->dreq_isr; > newdp->dccps_gsr = dreq->dreq_gsr; > > +

[PATCH] dccp: fix use-after-free after cloning struct dccp_sock

I've observed various spew (KASAN, warnings, oopses, etc.) that seem to stem from incorrect cloning of dccp_sock in dccp_create_openreq_child(). The problem is that struct dccp_sock's ->dccps_hc_rx_ackvec, ->dccps_hc_rx_ccid, and ->dccps_hc_tx_ccid members are pointers to memory which is