Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e513480e authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont Committed by David S. Miller
Browse files

Phonet: fix potential use-after-free in pep_sock_close() 



sk_common_release() might destroy our last reference to the socket.
So an extra temporary reference is needed during cleanup.

Signed-off-by: default avatarRémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7466a384

net/phonet/pep.c

+2 −0
Original line number Diff line number Diff line
@@ -626,6 +626,7 @@ static void pep_sock_close(struct sock *sk, long timeout) 
	struct pep_sock *pn = pep_sk(sk);

	int ifindex = 0;



	sock_hold(sk); /* keep a reference after sk_common_release() */

	sk_common_release(sk);



	lock_sock(sk);
@@ -644,6 +645,7 @@ static void pep_sock_close(struct sock *sk, long timeout) 


	if (ifindex)

		gprs_detach(sk);

	sock_put(sk);

}



static int pep_wait_connreq(struct sock *sk, int noblock)