UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/staging
History
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks. 
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
 		2014-04-11 16:15:36 -04:00
..
android Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
bcm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
ced1401 Staging: ced1401: Fix no new typedef warning in ced_ioctl.h 2014-03-18 13:30:44 -07:00
comedi staging: comedi: poc: remove obsolete driver 2014-03-20 01:57:01 +00:00
cptm1217
crystalhd staging: crystalhd: Fix no space before tabs 2014-03-16 21:32:32 -07:00
cxt1e1 Staging: cxt1e1: Fix externs should be avoided in .c files in comet.c 2014-03-19 09:17:23 -07:00
dgap staging: dgap: fix the rest of the checkpatch warnings in dgap.c 2014-03-19 13:54:39 -07:00
dgnc staging:dgnc: Removed assignments from if statements. 2014-03-17 16:42:47 -07:00
dgrp drivers/staging/dgrp:dgrp_tty.c: Fix line over 80 characters. 2014-03-18 10:53:21 -07:00
et131x Staging: et131x: Fix warning of prefer ether_addr_copy() in et131x.c 2014-03-08 20:27:48 -08:00
frontier Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
ft1000 staging: ft1000: Fix line over 80 characters. 2014-03-19 13:41:28 -07:00
fwserial staging/fwserial: don't use PREPARE_WORK 2014-03-07 10:24:50 -05:00
gdm72xx staging: gdm72xx: remove completed TODO item 2014-03-16 19:53:58 -07:00
gdm724x Staging: gdm724x: Fix unchecked sscanf values in gdm_lte.c 2014-03-18 11:35:53 -07:00
goldfish
gs_fpgaboot Staging: gs_gpgaboot: Fix Bad function definition in io.c 2014-03-07 13:39:56 -08:00
iio staging: adc: mxs-lradc.c Fix line over 80 characters. 2014-03-19 13:41:27 -07:00
imx-drm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2014-04-08 09:52:16 -07:00
keucr staging:keucr: Remove typedefs 2014-03-16 22:01:41 -07:00
line6 Staging driver pull request for 3.15-rc1 2014-04-01 16:45:00 -07:00
lustre net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
media Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2014-04-04 09:50:07 -07:00
mt29f_spinand
netlogic Staging:netlogic: Correct double assignment in xlr_net.c 2014-03-08 20:31:53 -08:00
nokia_h4p staging: nokia_h4p: Fix quoted string split across lines 2014-03-19 13:50:23 -07:00
nvec staging:nvec: Introduce the use of the managed version of kzalloc 2014-03-07 15:19:36 -08:00
octeon Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-04-02 20:53:45 -07:00
octeon-usb staging: octeon-usb: prevent memory corruption 2014-03-20 01:51:12 +00:00
olpc_dcon
ozwpan staging:ozwpan:Fix sparse warning of cast to restricted __le16 2014-03-18 11:58:45 -07:00
panel Staging: panel: Fix quoted string split across line in panel.c 2014-02-27 12:29:24 -08:00
phison
quickstart
rtl8187se Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
rtl8188eu Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
rtl8192e Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
rtl8192u Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
rtl8712 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
rtl8723au staging: rtl8723au: The 8723 only has two paths 2014-04-07 12:53:00 -07:00
rtl8821ae Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-04-02 20:53:45 -07:00
rts5139 staging: rts5139: Added in sd_cprm.c an include to fix a sparse warning 2014-03-16 17:41:13 -07:00
rts5208 staging: rts5208: Fix line over 80 characters. 2014-03-18 11:56:51 -07:00
sbe-2t3e3 /drivers/staging/sbe2t3e3: Fixed left brace to be on the previous line 2014-03-10 15:06:22 -07:00
sep staging: sep: Add fallthrough comment 2014-03-16 17:52:00 -07:00
serqt_usb2 drivers/staging/serqt_usb2:serqt_usb2.c Fix line over 80 characters. 2014-03-18 11:18:05 -07:00
silicom staging/silicom/bypasslib/bp_ioctl.h Fix do not add new typedefs. 2014-03-18 11:55:31 -07:00
slicoss staging: slicoss: free IO remapping on failure 2014-03-18 12:11:55 -07:00
speakup Nothing major: the stricter permissions checking for sysfs broke 2014-04-06 09:38:07 -07:00
ste_rmi4
tidspbridge staging/tidspbridge/rmgr/mgr.c Fix quoted string split across lines 2014-03-19 09:27:39 -07:00
unisys Staging: unisys: mark drivers as BROKEN 2014-04-07 12:49:36 -07:00
usbip Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-04-02 16:23:38 -07:00
vme
vt6655 staging:vt6655: Fix sparse warnings of using plain integer as NULL pointer 2014-03-18 11:01:21 -07:00
vt6656 staging: vt6656: s_uGetRTSCTSRsvTime fix return. 2014-03-19 09:00:19 -07:00
winbond staging: winbond: Fix line over 80 characters. 2014-03-19 09:27:39 -07:00
wlags49_h2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-04-02 20:53:45 -07:00
wlags49_h25
wlan-ng Staging: wlan-ng: Fix smatch warning potential null reference 2014-03-19 13:41:27 -07:00
xgifb Staging: xgifb: Fix quoted string split across lines in XGI_main_26.c 2014-02-28 14:29:38 -08:00
xillybus staging: xillybus: XILLYBUS_PCIE depends on PCI_MSI 2014-03-21 12:24:09 -07:00
Kconfig staging: r8723au: Turn on build of new driver 2014-04-05 14:53:46 -07:00
Makefile staging: r8723au: Turn on build of new driver 2014-04-05 14:53:46 -07:00
staging.c