diff for duplicates of <20161103175220.GG8514@localhost.localdomain> diff --git a/a/1.txt b/N1/1.txt index f42b888..85e95b5 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -7,7 +7,7 @@ On Thu, Nov 03, 2016 at 06:11:01PM +0100, Andrey Konovalov wrote: > >>> > >>> I've got the following error report while running the syzkaller fuzzer: > >>> -> >>> ================================= +> >>> ================================================================== > >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr > >>> ffff88006b1dc610 > >> @@ -26,7 +26,7 @@ Hi > setsockopt() calls sctp_wait_for_connect(), which exits the for loop > on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc > with sctp_association_put() and returns err = 0. -> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id +> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id > from the freed asoc. Suddenly this seems familiar. Your description makes sense, thanks for @@ -59,7 +59,7 @@ index 9fbb6feb8c27..aac271571930 100644 + sctp_association_hold(asoc); err = sctp_wait_for_connect(asoc, &timeo); - if ((err = 0 || err = -EINPROGRESS) && assoc_id) + if ((err == 0 || err == -EINPROGRESS) && assoc_id) *assoc_id = asoc->assoc_id; + sctp_association_put(asoc); diff --git a/a/content_digest b/N1/content_digest index c8d6c19..3bef9b5 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,7 +4,7 @@ "ref\0CAAeHK+xxcV8XV1Pc2_eBrQWTDSp3ooc1LLX81jhCTCvk7hhaVg@mail.gmail.com\0" "From\0Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\0" "Subject\0Re: net/sctp: use-after-free in __sctp_connect\0" - "Date\0Thu, 03 Nov 2016 17:52:20 +0000\0" + "Date\0Thu, 3 Nov 2016 15:52:20 -0200\0" "To\0Andrey Konovalov <andreyknvl@google.com>\0" "Cc\0Vlad Yasevich <vyasevich@gmail.com>" Neil Horman <nhorman@tuxdriver.com> @@ -28,7 +28,7 @@ "> >>>\n" "> >>> I've got the following error report while running the syzkaller fuzzer:\n" "> >>>\n" - "> >>> =================================\n" + "> >>> ==================================================================\n" "> >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr\n" "> >>> ffff88006b1dc610\n" "> >>\n" @@ -47,7 +47,7 @@ "> setsockopt() calls sctp_wait_for_connect(), which exits the for loop\n" "> on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc\n" "> with sctp_association_put() and returns err = 0.\n" - "> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id\n" + "> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id\n" "> from the freed asoc.\n" "\n" "Suddenly this seems familiar. Your description makes sense, thanks for\n" @@ -80,7 +80,7 @@ " \n" "+\tsctp_association_hold(asoc);\n" " \terr = sctp_wait_for_connect(asoc, &timeo);\n" - " \tif ((err = 0 || err = -EINPROGRESS) && assoc_id)\n" + " \tif ((err == 0 || err == -EINPROGRESS) && assoc_id)\n" " \t\t*assoc_id = asoc->assoc_id;\n" "+\tsctp_association_put(asoc);\n" " \n" @@ -125,4 +125,4 @@ " \n" do_error: -a80f1cae8de48379ff8e9c5e519473bd89102a7c7a2f74f5d3b19ae52f252f64 +3977d60cb3858deeb810d4b21f0c5be9d79640358d2c367e353f2e9296808800
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.