refcount leak in pep_sock_accept
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
sock_hold(sk) is invoked in pep_sock_
static struct sock *pep_sock_
bool kern)
{
struct pep_sock *pn = pep_sk(sk), *newpn;
struct sock *newsk = NULL;
struct sk_buff *skb;
struct pnpipehdr *hdr;
struct sockaddr_pn dst, src;
int err;
u16 peer_type;
u8 pipe_handle, enabled, n_sb;
u8 aligned = 0;
...
newsk = sk_alloc(
kern);
if (!newsk) {
pep_reject_
err = -ENOBUFS;
goto drop;
}
...
sock_hold(sk); <---- here,sk-
newpn->listener = sk;
skb_queue_
newpn->pipe_handle = pipe_handle;
atomic_
newpn->ifindex = 0;
newpn->peer_type = peer_type;
newpn->rx_credits = 0;
newpn->rx_fc = newpn->tx_fc = PN_LEGACY_
newpn->init_enable = enabled;
newpn->aligned = aligned;
err = pep_accept_
if (err) {
sock_put(newsk); <---- before sock_put(newsk) may need sk->sk_refcnt--
newsk = NULL;
goto drop;
}
sk_add_node(newsk, &pn->hlist);
drop:
release_sock(sk);
kfree_skb(skb);
*errp = err;
return newsk;
}
My suggestion for the patch:
static struct sock *pep_sock_
bool kern)
{
...
err = pep_accept_
if (err) {
+++ __sock_put(sk);
sock_put(newsk);
newsk = NULL;
goto drop;
}
sk_add_node(newsk, &pn->hlist);
drop:
release_sock(sk);
kfree_skb(skb);
*errp = err;
return newsk;
}
CVE References
affects: | ubuntu → linux (Ubuntu) |
Hello, can you please report this to <email address hidden>? That's the easiest way to get credit for finding and fixing the issue.
Thanks