tipc: fix use-after-free in tipc_disc_rcv()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
to read the header data field but after the message skb has been freed,
that might result in a garbage value...

This commit fixes it by defining a new local variable to store the data
first, just like the other header fields' handling.

Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Tuong Lien and committed by

David S. Miller 6 years ago 31e4ccc9 abc9b4e0

+3 -3

1 changed file

expand all

net

tipc

discover.c

+3 -3

net/tipc/discover.c

··· 194 194 { 195 195 struct tipc_net *tn = tipc_net(net); 196 196 struct tipc_msg *hdr = buf_msg(skb); 197 + u32 pnet_hash = msg_peer_net_hash(hdr); 197 198 u16 caps = msg_node_capabilities(hdr); 198 199 bool legacy = tn->legacy_addr_format; 199 200 u32 sugg = msg_sugg_node_addr(hdr); ··· 243 242 return; 244 243 if (!tipc_in_scope(legacy, b->domain, src)) 245 244 return; 246 - tipc_node_check_dest(net, src, peer_id, b, caps, signature, 247 - msg_peer_net_hash(hdr), &maddr, &respond, 248 - &dupl_addr); 245 + tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash, 246 + &maddr, &respond, &dupl_addr); 249 247 if (dupl_addr) 250 248 disc_dupl_alert(b, src, &maddr); 251 249 if (!respond)