]> Git Repo - linux.git/commit
projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ba77919) | patch
sctp: fix error path in sctp_stream_init
authorMarcelo Ricardo Leitner <[email protected]>
Tue, 2 Jan 2018 21:44:37 +0000 (19:44 -0200)
committerDavid S. Miller <[email protected]>
Wed, 3 Jan 2018 16:29:42 +0000 (11:29 -0500)
commit79d0895140e937ba111e6420b4cd83ee75efa788
tree6edb4a6cc1a852af40a183d6b7e7dcedaaafa046tree | snapshot
parentba77919808c6dbfc51b9ed52458c31c06197414fcommit | diff
sctp: fix error path in sctp_stream_init

syzbot noticed a NULL pointer dereference panic in sctp_stream_free()
which was caused by an incomplete error handling in sctp_stream_init().
By not clearing stream->outcnt, it made a for() in sctp_stream_free()
think that it had elements to free, but not, leading to the panic.

As suggested by Xin Long, this patch also simplifies the error path by
moving it to the only if() that uses it.

See-also: https://www.spinics.net/lists/netdev/msg473756.html
See-also: https://www.spinics.net/lists/netdev/msg465024.html
Reported-by: syzbot <[email protected]>
Fixes: f952be79cebd ("sctp: introduce struct sctp_stream_out_ext")
Signed-off-by: Marcelo Ricardo Leitner <[email protected]>
Reviewed-by: Xin Long <[email protected]>
Acked-by: Neil Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
net/sctp/stream.c diff | blob | blame | history
Empty description
This page took 0.053978 seconds and 4 git commands to generate.