diff for duplicates of <20161103183533.GH8514@localhost.localdomain> diff --git a/a/1.txt b/N1/1.txt index 9f7d093..a0f553a 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -10,7 +10,7 @@ On Thu, Nov 03, 2016 at 07:02:47PM +0100, Andrey Konovalov wrote: > >> >>> > >> >>> I've got the following error report while running the syzkaller fuzzer: > >> >>> -> >> >>> ================================= +> >> >>> ================================================================== > >> >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr > >> >>> ffff88006b1dc610 > >> >> @@ -29,7 +29,7 @@ On Thu, Nov 03, 2016 at 07:02:47PM +0100, Andrey Konovalov wrote: > >> setsockopt() calls sctp_wait_for_connect(), which exits the for loop > >> on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc > >> with sctp_association_put() and returns err = 0. -> >> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id +> >> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id > >> from the freed asoc. > > > > Suddenly this seems familiar. Your description makes sense, thanks for @@ -62,7 +62,7 @@ index 6cdc61c21438..be1d9bb98230 100644 timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK); - err = sctp_wait_for_connect(asoc, &timeo); -- if ((err = 0 || err = -EINPROGRESS) && assoc_id) +- if ((err == 0 || err == -EINPROGRESS) && assoc_id) + if (assoc_id) *assoc_id = asoc->assoc_id; + err = sctp_wait_for_connect(asoc, &timeo); diff --git a/a/content_digest b/N1/content_digest index dfa544f..f67d5e7 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -6,7 +6,7 @@ "ref\0CAAeHK+yHVYmyA4hNKNKyVrZQXkUmMNDF=WFz3F1VWMAA0gqwZA@mail.gmail.com\0" "From\0Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\0" "Subject\0Re: net/sctp: use-after-free in __sctp_connect\0" - "Date\0Thu, 03 Nov 2016 18:35:33 +0000\0" + "Date\0Thu, 3 Nov 2016 16:35:33 -0200\0" "To\0Andrey Konovalov <andreyknvl@google.com>\0" "Cc\0Vlad Yasevich <vyasevich@gmail.com>" Neil Horman <nhorman@tuxdriver.com> @@ -33,7 +33,7 @@ "> >> >>>\n" "> >> >>> I've got the following error report while running the syzkaller fuzzer:\n" "> >> >>>\n" - "> >> >>> =================================\n" + "> >> >>> ==================================================================\n" "> >> >>> BUG: KASAN: use-after-free in __sctp_connect+0xabe/0xbf0 at addr\n" "> >> >>> ffff88006b1dc610\n" "> >> >>\n" @@ -52,7 +52,7 @@ "> >> setsockopt() calls sctp_wait_for_connect(), which exits the for loop\n" "> >> on the sk->sk_shutdown & RCV_SHUTDOWN if clause, and then frees asoc\n" "> >> with sctp_association_put() and returns err = 0.\n" - "> >> Then __sctp_connect() checks that err = 0 and reads asoc->assoc_id\n" + "> >> Then __sctp_connect() checks that err == 0 and reads asoc->assoc_id\n" "> >> from the freed asoc.\n" "> >\n" "> > Suddenly this seems familiar. Your description makes sense, thanks for\n" @@ -85,7 +85,7 @@ " \ttimeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);\n" " \n" "-\terr = sctp_wait_for_connect(asoc, &timeo);\n" - "-\tif ((err = 0 || err = -EINPROGRESS) && assoc_id)\n" + "-\tif ((err == 0 || err == -EINPROGRESS) && assoc_id)\n" "+\tif (assoc_id)\n" " \t\t*assoc_id = asoc->assoc_id;\n" "+\terr = sctp_wait_for_connect(asoc, &timeo);\n" @@ -96,4 +96,4 @@ " \t/* Don't free association on exit. */\n" " \tasoc = NULL;" -a7ceb5a57087fea90b6fe61f1696bfb25cab221de8d7fb21779b7d55fd66a03c +3177a01ba9245268acf5d17cdc3d1c7af20c461505f36bb25a78e82d043379dc
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.