| From 89659c78061d51ab18caaf4063b823a24572bd09 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 15 Aug 2012 11:31:54 +0000 |
| Subject: [PATCH] dccp: check ccid before dereferencing |
| |
| commit 276bdb82dedb290511467a5a4fdbe9f0b52dce6f upstream. |
| |
| ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with |
| a NULL ccid pointer leading to a NULL pointer dereference. This could |
| lead to a privilege escalation if the attacker is able to map page 0 and |
| prepare it with a fake ccid_ops pointer. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/dccp/ccid.h | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h |
| index 6df6f8ac9636..4f78abbf1045 100644 |
| --- a/net/dccp/ccid.h |
| +++ b/net/dccp/ccid.h |
| @@ -218,7 +218,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk, |
| u32 __user *optval, int __user *optlen) |
| { |
| int rc = -ENOPROTOOPT; |
| - if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) |
| + if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) |
| rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, |
| optval, optlen); |
| return rc; |
| @@ -229,7 +229,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk, |
| u32 __user *optval, int __user *optlen) |
| { |
| int rc = -ENOPROTOOPT; |
| - if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) |
| + if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) |
| rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, |
| optval, optlen); |
| return rc; |
| -- |
| 1.8.5.2 |
| |
