linux-stable/net at be364c8c0f17a3dd42707b5a090b318028538eb9 - linux-stable - MyRedstone

Kernel/linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-10 07:00:48 +00:00

History

Tommi Rantala be364c8c0f sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails

Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;
 }

As far as I can tell, the leak has been around since ~2003.

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2012-11-28 11:10:09 -05:00

..

The following changes since commit 4cbe5a555fa58a79b6ecbb6c531b8bab0650778d:

2012-10-12 09:59:23 +09:00

tokenring: delete all remaining driver support

2012-05-15 20:23:16 -04:00

vlan: allow to change type when no vlan device is hooked on netdev

2012-10-18 15:34:30 -04:00

userns: Print out socket uids in a user namespace aware fashion.

2012-08-14 21:48:06 -07:00

net🏧fix up ENOIOCTLCMD error handling

2012-08-31 16:14:33 -04:00

userns: Convert net/ax25 to use kuid_t where appropriate

2012-08-14 21:49:42 -07:00

batman-adv: process broadcast packets in BLA earlier

2012-11-16 09:36:54 +01:00

Bluetooth: Fix memory leak when removing a UUID

2012-11-09 16:45:37 +01:00

bridge: Pull ip header into skb->data before looking into ip header.

2012-10-10 22:50:45 -04:00

caif: move the dereference below the NULL test

2012-09-10 16:13:31 -04:00

can: bcm: initialize ifindex for timeouts without previous frame reception

2012-11-26 22:33:59 +01:00

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client

2012-10-29 08:49:25 -07:00

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem

2012-11-21 11:48:31 -05:00

netlink: Rename pid to portid to avoid confusion

2012-09-10 15:30:41 -04:00

dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)

2012-08-15 21:36:31 -07:00

sections: fix section conflicts in net

2012-10-06 03:04:45 +09:00

Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2012-10-14 13:39:34 -07:00

workqueue: deprecate flush[_delayed]_work_sync()

2012-08-20 14:51:24 -07:00

ipx: move peII functions

2012-07-19 10:48:00 -07:00

net/ieee802154/6lowpan.c: Remove unecessary semicolon

2012-09-18 16:08:19 -04:00

net: ipmr: limit MRT_TABLE identifiers

2012-11-26 17:36:59 -05:00

ipv6: fix inet6_csk_update_pmtu() return value

2012-11-20 15:16:15 -05:00

userns: Print out socket uids in a user namespace aware fashion.

2012-08-14 21:48:06 -07:00

Merge 3.7-rc1 into tty-linus

2012-10-14 22:41:27 -07:00

net: remove skb_orphan_try()

2012-06-15 15:30:15 -07:00

net/key/af_key.c: add range checks on ->sadb_x_policy_len

2012-10-01 17:15:06 -04:00

l2tp: fix oops in l2tp_eth_create() error path

2012-11-02 21:56:35 -04:00

lapb: Neaten debugging

2012-05-17 18:45:20 -04:00

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2012-10-02 11:11:09 -07:00

Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

2012-11-19 14:37:43 -05:00

mac802154: sparse warnings: make symbols static

2012-07-12 07:54:45 -07:00

netfilter: cttimeout: fix buffer overflow

2012-11-21 23:50:14 +01:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2012-10-02 13:38:27 -07:00

netlink: use kfree_rcu() in netlink_release()

2012-10-18 15:34:30 -04:00

net: change return values from -EACCES to -EPERM

2012-09-21 13:58:08 -04:00

NFC: Fix nfc_llcp_local chained list insertion

2012-11-20 00:09:25 +01:00

net/openvswitch/vport.c: Remove unecessary semicolon

2012-09-18 16:08:19 -04:00

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2012-10-02 11:11:09 -07:00

netlink: Rename pid to portid to avoid confusion

2012-09-10 15:30:41 -04:00

RDS: fix rds-ping spinlock recursion

2012-10-09 13:57:23 -04:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2012-10-02 13:38:27 -07:00

net: Convert all sysctl registrations to register_net_sysctl

2012-04-20 21:22:30 -04:00

Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2012-10-14 13:39:34 -07:00

pkt_sched: enable QFQ to support TSO/GSO

2012-11-07 15:37:04 -05:00

sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails

2012-11-28 11:10:09 -05:00

SUNRPC: return proper errno from backchannel_rqst

2012-11-01 11:50:53 -04:00

tipc: do not use tasklet_disable before tasklet_kill

2012-11-03 15:10:14 -04:00

af_unix: old_cred is surplus

2012-09-17 13:00:13 -04:00

wanmain: comparing array with NULL

2012-07-24 13:55:21 -07:00

net: cleanup unsigned to unsigned int

2012-04-15 12:44:40 -04:00

wireless: allow 40 MHz on world roaming channels 12/13

2012-11-12 16:26:06 +01:00

net: Fix (nearly-)kernel-doc comments for various functions

2012-07-10 23:13:45 -07:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2012-10-02 13:38:27 -07:00

compat.c

make get_file() return its argument

2012-09-26 21:10:25 -04:00

Kconfig

net: Add INET dependency on aes crypto for the sake of TCP fastopen.

2012-09-04 14:20:14 -04:00

Makefile

econet: remove ancient bug ridden protocol

2012-05-18 01:35:08 -04:00

nonet.c

…

socket.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2012-10-02 20:25:04 -07:00

sysctl_net.c

net: delete all instances of special processing for token ring

2012-05-15 20:14:35 -04:00