From f7e5cc0c40dff92bad2894153f675c6c542ba2f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lothar=20Wa=C3=9Fmann?= Date: Tue, 14 Jul 2009 23:10:21 +0000 Subject: net/can bugfix: use after free bug in can protocol drivers Fix a use after free bug in can protocol drivers The release functions of the can protocol drivers lack a call to sock_orphan() which leads to referencing freed memory under certain circumstances. This patch fixes a bug reported here: https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html Signed-off-by: Lothar Wassmann Acked-by: Oliver Hartkopp Signed-off-by: David S. Miller diff --git a/net/can/bcm.c b/net/can/bcm.c index 95d7f32..1d17e41 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *sock) bo->ifindex = 0; } + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk); diff --git a/net/can/raw.c b/net/can/raw.c index 6aa154e..3482546 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -306,6 +306,9 @@ static int raw_release(struct socket *sock) ro->bound = 0; ro->count = 0; + sock_orphan(sk); + sock->sk = NULL; + release_sock(sk); sock_put(sk); -- cgit v0.10.2