Commit f20252d7 authored May 12, 2016 by John Stultz Committed by Amit Pundir Aug 30, 2018

ANDROID: netfilter: xt_qtaguid: Fix panic caused by processing non-full socket.



In an issue very similar to 4e461c777e3 (xt_qtaguid: Fix panic
caused by synack processing), we were seeing panics on occasion
in testing.

In this case, it was the same issue, but caused by a different
call path, as the sk being returned from qtaguid_find_sk() was
not a full socket. Resulting in the sk->sk_socket deref to fail.

This patch adds an extra check to ensure the sk being retuned
is a full socket, and if not it returns NULL.

Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>

parent af798507

net/netfilter/xt_qtaguid.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1606,7 +1606,7 @@ static struct sock qtaguid_find_sk(const struct sk_buff skb,
		* When in TCP_TIME_WAIT the sk is not a "struct sock" but
		* "struct inet_timewait_sock" which is missing fields.
		*/
		if (sk->sk_state == TCP_TIME_WAIT) {
		if (!sk_fullsock(sk) \|\| sk->sk_state == TCP_TIME_WAIT) {
		sock_gen_put(sk);
		sk = NULL;
		}