can: isotp: prevent race between isotp_bind() and isotp_setsockopt() - linux/linux-stable.git

diff options

author	Norbert Slusarek <nslusarek@gmx.net>	2021-05-12 00:43:54 +0200
committer	Marc Kleine-Budde <mkl@pengutronix.de>	2021-05-12 08:52:47 +0200
commit	2b17c400aeb44daf041627722581ade527bb3c1d (patch)
tree	9698aa0e13520c2f97bc508c37a19a98906f751b /tools/perf/scripts/python/export-to-postgresql.py
parent	440c3247cba3d9433ac435d371dd7927d68772a7 (diff)

can: isotp: prevent race between isotp_bind() and isotp_setsockopt()

A race condition was found in isotp_setsockopt() which allows to change socket options after the socket was bound. For the specific case of SF_BROADCAST support, this might lead to possible use-after-free because can_rx_unregister() is not called. Checking for the flag under the socket lock in isotp_bind() and taking the lock in isotp_setsockopt() fixes the issue. Fixes: 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-1620773528307@3c-app-gmx-bs06 Reported-by: Norbert Slusarek <nslusarek@gmx.net> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Norbert Slusarek <nslusarek@gmx.net> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

Diffstat (limited to 'tools/perf/scripts/python/export-to-postgresql.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: