net/can bugfix: use after free bug in can protocol drivers

lw-karo · davem330 · commit f7e5cc0c40df · 2009-07-15T11:20:37.000-07:00
Fix a use after free bug in can protocol drivers The release functions of the can protocol drivers lack a call to sock_orphan() which leads to referencing freed memory under certain circumstances. This patch fixes a bug reported here: https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/can/bcm.c b/net/can/bcm.c
@@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *sock)
 		bo->ifindex = 0;
 	}
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);
 
diff --git a/net/can/raw.c b/net/can/raw.c
@@ -306,6 +306,9 @@ static int raw_release(struct socket *sock)
 	ro->bound   = 0;
 	ro->count   = 0;
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);
 

Original file line number	Diff line number	Diff line change
`@@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *sock)`
`1469`	`1469`	`bo->ifindex = 0;`
`1470`	`1470`	`}`
`1471`	`1471`
	`1472`	`+ sock_orphan(sk);`
	`1473`	`+ sock->sk = NULL;`
	`1474`	`+`
`1472`	`1475`	`release_sock(sk);`
`1473`	`1476`	`sock_put(sk);`
`1474`	`1477`