diff mbox

[Yakkety,SRU,1/2] sctp: avoid BUG_ON on sctp_wait_for_sndbuf

Message ID 20170321195338.7906-1-cascardo@canonical.com
State New
Headers show

Commit Message

Thadeu Lima de Souza Cascardo March 21, 2017, 7:53 p.m. UTC 
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Alexander Popov reported that an application may trigger a BUG_ON in
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
waiting on it to queue more data and meanwhile another thread peels off
the association being used by the first thread.

This patch replaces the BUG_ON call with a proper error handling. It
will return -EPIPE to the original sendmsg call, similarly to what would
have been done if the association wasn't found in the first place.

Acked-by: Alexander Popov <alex.popov@linux.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 2dcab598484185dea7ec22219c76dcdd59e3cb90)
CVE-2017-5986
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/sctp/socket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Tim Gardner March 22, 2017, 1:23 p.m. UTC | #1 
ACK to both patches
Stefan Bader March 27, 2017, 2:19 p.m. UTC | #2 
On 21.03.2017 20:53, Thadeu Lima de Souza Cascardo wrote:
> From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> 
> Alexander Popov reported that an application may trigger a BUG_ON in
> sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
> waiting on it to queue more data and meanwhile another thread peels off
> the association being used by the first thread.
> 
> This patch replaces the BUG_ON call with a proper error handling. It
> will return -EPIPE to the original sendmsg call, similarly to what would
> have been done if the association wasn't found in the first place.
> 
> Acked-by: Alexander Popov <alex.popov@linux.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> Reviewed-by: Xin Long <lucien.xin@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit 2dcab598484185dea7ec22219c76dcdd59e3cb90)
> CVE-2017-5986
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  net/sctp/socket.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 7b0e059..6a7b695 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7425,7 +7425,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
>  		 */
>  		release_sock(sk);
>  		current_timeo = schedule_timeout(current_timeo);
> -		BUG_ON(sk != asoc->base.sk);
> +		if (sk != asoc->base.sk)
> +			goto do_error;
>  		lock_sock(sk);
>  
>  		*timeo_p = current_timeo;
>
Thadeu Lima de Souza Cascardo April 4, 2017, 3:03 p.m. UTC | #3 
Applied to yakkety master-next branch.

Thanks.
Cascardo.
diff mbox

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 7b0e059..6a7b695 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7425,7 +7425,8 @@  static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
 		 */
 		release_sock(sk);
 		current_timeo = schedule_timeout(current_timeo);
-		BUG_ON(sk != asoc->base.sk);
+		if (sk != asoc->base.sk)
+			goto do_error;
 		lock_sock(sk);
 
 		*timeo_p = current_timeo;