** Description changed:
- TBD
+ [Impact]
+
+ If the socket buffer array of a tap queue is full, a received package
+ needs to be dropped. Currently, the check for the array being full is
+ performed lockless, which might lead to use-after-free errors if the
+ socket buffer array has been resized.
+
+ [Test Case]
+
+ TBD.
+
+ [Regression Potential]
+
+ The check for the array being full is simply dropped. In case the array
+ is full, subsequent frame handling will fail and the frame is eventually
+ dropped. A regression would manifest itself if the frame is not dropped
+ for whatever reason and inserted into the (ring) buffer, overwriting the
+ oldest frame in the buffer.
** Changed in: linux (Ubuntu)
Status: Incomplete => Invalid
** Changed in: linux (Ubuntu Bionic)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889735
Title:
tap: use after free
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
