sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect

lxin · gregkh · commit 4519a59a502f · 2017-11-18T11:30:36.000+01:00
[ Upstream commit 1cc276c ] Now sctp processes icmp redirect packet in sctp_icmp_redirect where it calls sctp_transport_dst_check in which tp->dst can be released. The problem is before calling sctp_transport_dst_check, it doesn't check sock_owned_by_user, which means tp->dst could be freed while a process is accessing it with owning the socket. An use-after-free issue could be triggered by this. This patch is to fix it by checking sock_owned_by_user before calling sctp_transport_dst_check in sctp_icmp_redirect, so that it would not release tp->dst if users still hold sock lock. Besides, the same issue fixed in commit 45caeaa ("dccp/tcp: fix routing redirect race") on sctp also needs this check. Fixes: 55be7a9 ("ipv4: Add redirect support to all protocol icmp error handlers") Reported-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/sctp/input.c b/net/sctp/input.c
@@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock *sk, struct sctp_transport *t,
 {
 	struct dst_entry *dst;
 
-	if (!t)
+	if (sock_owned_by_user(sk) || !t)
 		return;
 	dst = sctp_transport_dst_check(t);
 	if (dst)

Original file line number	Diff line number	Diff line change
`@@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock sk, struct sctp_transport t,`
`421`	`421`	`{`
`422`	`422`	`struct dst_entry *dst;`
`423`	`423`
`424`		`- if (!t)`
	`424`	`+ if (sock_owned_by_user(sk) \|\| !t)`
`425`	`425`	`return;`
`426`	`426`	`dst = sctp_transport_dst_check(t);`
`427`	`427`	`if (dst)`