[PATCH 2/5] Bad dereference of xfrm_state in pf

To:	"David S. Miller" <davem@xxxxxxxxxx>
Subject:	[PATCH 2/5] Bad dereference of xfrm_state in pf_key
From:	Krishna Kumar <krkumar@xxxxxxxxxx>
Date:	Tue, 13 Jan 2004 13:22:36 -0800 (PST)
Cc:	netdev@xxxxxxxxxxx
In-reply-to:	<Pine.LNX.4.44.0401131319510.25742-100000@linux-udp14999547uds>
Sender:	netdev-bounce@xxxxxxxxxxx

In pfkey_get(), the xfrm_state is dereferenced after it is dropped,
which could lead to dereferencing freed memory. This can also be done
by dropping the reference before the pfkey_broadcast() and in the IS_ERR
case.

thanks,

- KK

diff -ruN linux-2.6.0-rc2-bk6.org/net/key/af_key.c 
linux-2.6.0-rc2-bk6/net/key/af_key.c
--- linux-2.6.0-rc2-bk6.org/net/key/af_key.c    2004-01-05 13:45:47.000000000 
-0800
+++ linux-2.6.0-rc2-bk6/net/key/af_key.c        2004-01-09 12:41:30.000000000 
-0800
@@ -1283,6 +1283,7 @@

 static int pfkey_get(struct sock *sk, struct sk_buff *skb, struct sadb_msg 
*hdr, void **ext_hdrs)
 {
+       __u8 proto;
        struct sk_buff *out_skb;
        struct sadb_msg *out_hdr;
        struct xfrm_state *x;
@@ -1297,6 +1298,7 @@
                return -ESRCH;

        out_skb = pfkey_xfrm_state2msg(x, 1, 3);
+       proto = x->id.proto;
        xfrm_state_put(x);
        if (IS_ERR(out_skb))
                return  PTR_ERR(out_skb);
@@ -1304,7 +1306,7 @@
        out_hdr = (struct sadb_msg *) out_skb->data;
        out_hdr->sadb_msg_version = hdr->sadb_msg_version;
        out_hdr->sadb_msg_type = SADB_DUMP;
-       out_hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);
+       out_hdr->sadb_msg_satype = pfkey_proto2satype(proto);
        out_hdr->sadb_msg_errno = 0;
        out_hdr->sadb_msg_reserved = 0;
        out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH] Bugs in xfrm, Krishna Kumar Re: [PATCH] Bugs in xfrm, David S. Miller Re: [PATCH] Bugs in xfrm, Krishna Kumar Re: [PATCH] Bugs in xfrm, David S. Miller [PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar [PATCH 2/5] Bad dereference of xfrm_state in pf_key, Krishna Kumar <= Re: [PATCH 2/5] Bad dereference of xfrm_state in pf_key, David S. Miller [PATCH 3/5] xfrm_lookup bugs, Krishna Kumar Re: [PATCH 3/5] xfrm_lookup bugs, David S. Miller [PATCH 4/5] xfrm_state_construct doesn't set tunnel state, Krishna Kumar Re: [PATCH 4/5] xfrm_state_construct doesn't set tunnel state, David S. Miller [PATCH 5/5] schedule() bug in xfrm_lookup(), Krishna Kumar Re: [PATCH 5/5] schedule() bug in xfrm_lookup(), David S. Miller Re: [PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, David S. Miller

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	[PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar
Next by Date:	[PATCH 3/5] xfrm_lookup bugs, Krishna Kumar
Previous by Thread:	[PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar
Next by Thread:	Re: [PATCH 2/5] Bad dereference of xfrm_state in pf_key, David S. Miller
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

[PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar

Next by Date:

[PATCH 3/5] xfrm_lookup bugs, Krishna Kumar

Previous by Thread:

[PATCH 1/5] ipcomp_tunnel_create doesn't set tunnel state, Krishna Kumar

Next by Thread:

Re: [PATCH 2/5] Bad dereference of xfrm_state in pf_key, David S. Miller

Indexes:

[Date] [Thread] [Top] [All Lists]