[maverick CVE 1/1] can: add missing socket check in can/raw release
Tim Gardner
tim.gardner at canonical.com
Thu May 26 16:11:10 UTC 2011
On 05/26/2011 10:07 AM, Andy Whitcroft wrote:
> From: Oliver Hartkopp<socketcan at hartkopp.net>
>
> v2: added space after 'if' according code style.
>
> We can get here with a NULL socket argument passed from userspace,
> so we need to handle it accordingly.
>
> Thanks to Dave Jones pointing at this issue in net/can/bcm.c
>
> Signed-off-by: Oliver Hartkopp<socketcan at hartkopp.net>
> Signed-off-by: David S. Miller<davem at davemloft.net>
>
> CVE-2011-1748
> BugLink: http://bugs.launchpad.net/bugs/788694
> (cherry picked from commit 10022a6c66e199d8f61d9044543f38785713cbbd)
> Signed-off-by: Andy Whitcroft<apw at canonical.com>
> ---
> net/can/raw.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/net/can/raw.c b/net/can/raw.c
> index 1650599..9ae3b9b 100644
> --- a/net/can/raw.c
> +++ b/net/can/raw.c
> @@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
> static int raw_release(struct socket *sock)
> {
> struct sock *sk = sock->sk;
> - struct raw_sock *ro = raw_sk(sk);
> + struct raw_sock *ro;
> +
> + if (!sk)
> + return 0;
> +
> + ro = raw_sk(sk);
>
> unregister_netdevice_notifier(&ro->notifier);
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list