linux

History

Hannes Frederic Sowa 9a368aff9c pptp: fix illegal memory access caused by multiple bind()s Several times already this has been reported as kasan reports caused by syzkaller and trinity and people always looked at RCU races, but it is much more simple. :) In case we bind a pptp socket multiple times, we simply add it to the callid_sock list but don't remove the old binding. Thus the old socket stays in the bucket with unused call_id indexes and doesn't get cleaned up. This causes various forms of kasan reports which were hard to pinpoint. Simply don't allow multiple binds and correct error handling in pptp_bind. Also keep sk_state bits in place in pptp_connect. Fixes: `00959ade36` ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") Cc: Dmitry Kozlov <xeb@mail.ru> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Dmitry Vyukov <dvyukov@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dave Jones <davej@codemonkey.org.uk> Reported-by: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>		2016-01-24 22:18:26 -08:00
..
Kconfig	…
Makefile	…
bsd_comp.c	…
ppp_async.c	tty: Fix recursive deadlock in tty_perform_flush()	2013-03-18 16:52:24 -07:00
ppp_deflate.c	ppp: deflate: never return len larger than output buffer	2015-01-29 14:50:01 -08:00
ppp_generic.c	ppp: declare ppp devices as enumerated interfaces	2015-12-14 16:20:57 -05:00
ppp_mppe.c	ppp: mppe: discard late packet in stateless mode	2015-04-26 23:25:13 -04:00
ppp_mppe.h	…
ppp_synctty.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2013-05-01 14:08:52 -07:00
pppoe.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-12-17 22:08:28 -05:00
pppox.c	pppox: use standard module auto-loading feature	2015-12-03 15:12:54 -05:00
pptp.c	pptp: fix illegal memory access caused by multiple bind()s	2016-01-24 22:18:26 -08:00