[added to the 4.1 stable tree] dccp: CVE-2017-8824: use-after-free in DCCP code

From: Mohamed Ghannam simo.ghannam@gmail.com

This patch has been added to the 4.1 stable tree. If you have any objections, please let us know.

===============

[ Upstream commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 ]

Whenever the sock object is in DCCP_CLOSED state, dccp_disconnect() must free dccps_hc_tx_ccid and dccps_hc_rx_ccid and set to NULL.

Signed-off-by: Mohamed Ghannam simo.ghannam@gmail.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- net/dccp/proto.c | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c index 522658179cca..a20dc23360f9 100644 --- a/net/dccp/proto.c +++ b/net/dccp/proto.c @@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) { struct inet_connection_sock *icsk = inet_csk(sk); struct inet_sock *inet = inet_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); int err = 0; const int old_state = sk->sk_state;

@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) sk->sk_err = ECONNRESET;

dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); + ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; + dp->dccps_hc_tx_ccid = NULL;

__skb_queue_purge(&sk->sk_receive_queue); __skb_queue_purge(&sk->sk_write_queue);