Skip to content

Commit

Permalink
UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket
Browse files Browse the repository at this point in the history 
When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and
dccps_hc_tx_ccid are copied. When CCID features are activated on the child
socket, the CCID objects are freed, leaving the parent socket with dangling
pointers.

During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the
parent objects are not freed.

Reported-by: Hadar Manor
CVE-2020-16119
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com>
  • Loading branch information
Thadeu Lima de Souza Cascardo committed Oct 9, 2020
1 parent 044d4e2 commit defe333
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/dccp/minisocks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,

newdp->dccps_role = DCCP_ROLE_SERVER;
newdp->dccps_hc_rx_ackvec = NULL;
newdp->dccps_hc_rx_ccid = NULL;
newdp->dccps_hc_tx_ccid = NULL;
newdp->dccps_service_list = NULL;
newdp->dccps_service = dreq->dreq_service;
newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
Expand Down

0 comments on commit defe333

Please sign in to comment.