Commit 67f93df7 authored Mar 06, 2018 by Alexey Kodanev Committed by David S. Miller Mar 07, 2018

dccp: check sk for closed state in dccp_sendmsg()



dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by:  <syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com>
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 17cfe79a

net/dccp/proto.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		if (skb == NULL)
		goto out_release;

		if (sk->sk_state == DCCP_CLOSED) {
		rc = -ENOTCONN;
		goto out_discard;
		}

		skb_reserve(skb, sk->sk_prot->max_header);
		rc = memcpy_from_msg(skb_put(skb, len), msg, len);
		if (rc != 0)