diff options
| author | Rémi Denis-Courmont <remi.denis-courmont@nokia.com> | 2010-05-25 19:08:39 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-05-25 19:08:39 -0400 |
| commit | e513480e28cdfd868755f05c1a654fcfcee58070 (patch) | |
| tree | 53fd9bf4786dc56843641912fdc260c1b76f1613 | |
| parent | 7466a38478a30d5f7248134c9bdcb4e1c01fe4d9 (diff) | |
Phonet: fix potential use-after-free in pep_sock_close()
sk_common_release() might destroy our last reference to the socket.
So an extra temporary reference is needed during cleanup.
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/phonet/pep.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/phonet/pep.c b/net/phonet/pep.c index af4d38bc3b22..7b048a35ca58 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c | |||
| @@ -626,6 +626,7 @@ static void pep_sock_close(struct sock *sk, long timeout) | |||
| 626 | struct pep_sock *pn = pep_sk(sk); | 626 | struct pep_sock *pn = pep_sk(sk); |
| 627 | int ifindex = 0; | 627 | int ifindex = 0; |
| 628 | 628 | ||
| 629 | sock_hold(sk); /* keep a reference after sk_common_release() */ | ||
| 629 | sk_common_release(sk); | 630 | sk_common_release(sk); |
| 630 | 631 | ||
| 631 | lock_sock(sk); | 632 | lock_sock(sk); |
| @@ -644,6 +645,7 @@ static void pep_sock_close(struct sock *sk, long timeout) | |||
| 644 | 645 | ||
| 645 | if (ifindex) | 646 | if (ifindex) |
| 646 | gprs_detach(sk); | 647 | gprs_detach(sk); |
| 648 | sock_put(sk); | ||
| 647 | } | 649 | } |
| 648 | 650 | ||
| 649 | static int pep_wait_connreq(struct sock *sk, int noblock) | 651 | static int pep_wait_connreq(struct sock *sk, int noblock) |