dccp: check ccid before dereferencing commit 276bdb82dedb290511467a5a4fdbe9f0b52dce6f upstream. ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with a NULL ccid pointer leading to a NULL pointer dereference. This could lead to a privilege escalation if the attacker is able to map page 0 and prepare it with a fake ccid_ops pointer. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: af843972724e172827266e91ba326c069c8c088c [log] [tgz]
author: Mathias Krause <minipli@googlemail.com> Wed Aug 15 11:31:54 2012 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Fri Sep 14 10:00:34 2012 -0700
tree: 532784df2f1c8e938f015e9f52c6fe7ae23981e4
parent: 72961d91696071841fa013f11f686eaa7e2d0996 [diff]
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 75c3582..fb85d37 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h

@@ -246,7 +246,7 @@
 					u32 __user *optval, int __user *optlen)
 {
 	int rc = -ENOPROTOOPT;
-	if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
+	if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
 		rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
 						 optval, optlen);
 	return rc;
@@ -257,7 +257,7 @@
 					u32 __user *optval, int __user *optlen)
 {
 	int rc = -ENOPROTOOPT;
-	if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
+	if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
 		rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
 						 optval, optlen);
 	return rc;
commit	af843972724e172827266e91ba326c069c8c088c	[log] [tgz]
author	Mathias Krause <minipli@googlemail.com>	Wed Aug 15 11:31:54 2012 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Fri Sep 14 10:00:34 2012 -0700
tree	532784df2f1c8e938f015e9f52c6fe7ae23981e4
parent	72961d91696071841fa013f11f686eaa7e2d0996 [diff]