linux/net/tipc
Jon Maloy be47e41d77 tipc: fix use-after-free in tipc_nametbl_stop
When we delete a service item in tipc_nametbl_stop() we loop over
all service ranges in the service's RB tree, and for each service
range we loop over its pertaining publications while calling
tipc_service_remove_publ() for each of them.

However, tipc_service_remove_publ() has the side effect that it also
removes the comprising service range item when there are no publications
left. This leads to a "use-after-free" access when the inner loop
continues to the next iteration, since the range item holding the list
we are looping no longer exists.

We fix this by moving the delete of the service range item outside
the said function. Instead, we now let the two functions calling it
test if the list is empty and perform the removal when that is the
case.

Reported-by: syzbot+d64b64afc55660106556@syzkaller.appspotmail.com
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-18 13:48:43 -04:00
..
Kconfig tipc: implement socket diagnostics for AF_TIPC 2018-03-22 14:43:35 -04:00
Makefile tipc: implement socket diagnostics for AF_TIPC 2018-03-22 14:43:35 -04:00
addr.c tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
addr.h tipc: add 128-bit node identifier 2018-03-23 13:12:18 -04:00
bcast.c tipc: bcast: use true and false for boolean values 2018-03-07 12:18:00 -05:00
bcast.h tipc: make replicast a user selectable option 2017-01-20 12:10:17 -05:00
bearer.c tipc: obtain node identity from interface by default 2018-03-23 13:12:18 -04:00
bearer.h tipc: some cleanups in the file discover.c 2018-03-23 13:12:17 -04:00
core.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
core.h tipc: replace name table service range array with rb tree 2018-03-31 22:19:52 -04:00
diag.c tipc: use the right skb in tipc_sk_fill_sock_diag() 2018-04-08 12:34:29 -04:00
discover.c tipc: tipc_disc_addr_trial_msg() can be static 2018-03-25 21:21:43 -04:00
discover.h tipc: some cleanups in the file discover.c 2018-03-23 13:12:17 -04:00
eth_media.c tipc: make media address offset a common define 2015-02-27 18:18:48 -05:00
group.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
group.h tipc: fix race between poll() and setsockopt() 2018-01-19 15:12:21 -05:00
ib_media.c tipc: rename media/msg related definitions 2015-02-27 18:18:48 -05:00
link.c tipc: avoid possible string overflow 2018-03-31 22:19:52 -04:00
link.h tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
monitor.c tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path 2017-12-27 10:55:00 -05:00
monitor.h tipc: dump monitor attributes 2016-07-26 14:26:42 -07:00
msg.c tipc: obsolete TIPC_ZONE_SCOPE 2018-03-17 17:11:46 -04:00
msg.h tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
name_distr.c tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_distr.h tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_table.c tipc: fix use-after-free in tipc_nametbl_stop 2018-04-18 13:48:43 -04:00
name_table.h tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
net.c tipc: fix possible crash in __tipc_nl_net_set() 2018-04-16 18:08:18 -04:00
net.h tipc: obtain node identity from interface by default 2018-03-23 13:12:18 -04:00
netlink.c tipc: fix possible crash in __tipc_nl_net_set() 2018-04-16 18:08:18 -04:00
netlink.h tipc: make cluster size threshold for monitoring configurable 2016-07-26 14:26:42 -07:00
netlink_compat.c tipc: Fix missing RTNL lock protection during setting link properties 2018-02-14 14:46:33 -05:00
node.c tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
node.h tipc: handle collisions of 32-bit node address hash values 2018-03-23 13:12:18 -04:00
socket.c tipc: fix missing initializer in tipc_sendmsg() 2018-04-12 21:55:38 -04:00
socket.h tipc: use the right skb in tipc_sk_fill_sock_diag() 2018-04-08 12:34:29 -04:00
subscr.c tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
subscr.h tipc: replace name table service range array with rb tree 2018-03-31 22:19:52 -04:00
sysctl.c tipc: add name distributor resiliency queue 2014-09-01 17:51:48 -07:00
topsrv.c tipc: don't call sock_release() in atomic context 2018-02-19 14:38:50 -05:00
topsrv.h tipc: rename tipc_server to tipc_topsrv 2018-02-16 15:26:34 -05:00
udp_media.c tipc: fix error handling in tipc_udp_enable() 2018-03-27 10:50:02 -04:00
udp_media.h tipc: add UDP remoteip dump to netlink API 2016-08-26 21:38:41 -07:00