mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-12 08:48:48 +00:00
sctp: fix error path in sctp_stream_init
syzbot noticed a NULL pointer dereference panic in sctp_stream_free() which was caused by an incomplete error handling in sctp_stream_init(). By not clearing stream->outcnt, it made a for() in sctp_stream_free() think that it had elements to free, but not, leading to the panic. As suggested by Xin Long, this patch also simplifies the error path by moving it to the only if() that uses it. See-also: https://www.spinics.net/lists/netdev/msg473756.html See-also: https://www.spinics.net/lists/netdev/msg465024.html Reported-by: syzbot <syzkaller@googlegroups.com> Fixes: f952be79cebd ("sctp: introduce struct sctp_stream_out_ext") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
ba77919808
commit
79d0895140
@ -156,9 +156,9 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
|
||||
sctp_stream_outq_migrate(stream, NULL, outcnt);
|
||||
sched->sched_all(stream);
|
||||
|
||||
i = sctp_stream_alloc_out(stream, outcnt, gfp);
|
||||
if (i)
|
||||
return i;
|
||||
ret = sctp_stream_alloc_out(stream, outcnt, gfp);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
stream->outcnt = outcnt;
|
||||
for (i = 0; i < stream->outcnt; i++)
|
||||
@ -170,19 +170,17 @@ in:
|
||||
if (!incnt)
|
||||
goto out;
|
||||
|
||||
i = sctp_stream_alloc_in(stream, incnt, gfp);
|
||||
if (i) {
|
||||
ret = -ENOMEM;
|
||||
goto free;
|
||||
ret = sctp_stream_alloc_in(stream, incnt, gfp);
|
||||
if (ret) {
|
||||
sched->free(stream);
|
||||
kfree(stream->out);
|
||||
stream->out = NULL;
|
||||
stream->outcnt = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
stream->incnt = incnt;
|
||||
goto out;
|
||||
|
||||
free:
|
||||
sched->free(stream);
|
||||
kfree(stream->out);
|
||||
stream->out = NULL;
|
||||
out:
|
||||
return ret;
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user