summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIgnat Korchagin <ignat@cloudflare.com>2024-10-14 16:38:02 +0100
committerJakub Kicinski <kuba@kernel.org>2024-10-15 18:43:08 -0700
commit3945c799f12b8d1f49a3b48369ca494d981ac465 (patch)
treec280f0d4f02836472fea6e7337a17538dddb164f
parent7c4f78cdb8e7501e9f92d291a7d956591bf73be9 (diff)
downloadlinux-3945c799f12b8d1f49a3b48369ca494d981ac465.tar.gz
linux-3945c799f12b8d1f49a3b48369ca494d981ac465.tar.bz2
linux-3945c799f12b8d1f49a3b48369ca494d981ac465.zip
Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()
bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). Signed-off-by: Ignat Korchagin <ignat@cloudflare.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20241014153808.51894-4-ignat@cloudflare.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat
-rw-r--r--net/bluetooth/rfcomm/sock.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index f48250e3f2e1..355e1a1698f5 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
struct rfcomm_dlc *d;
struct sock *sk;
- sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
- if (!sk)
+ d = rfcomm_dlc_alloc(prio);
+ if (!d)
return NULL;
- d = rfcomm_dlc_alloc(prio);
- if (!d) {
- sk_free(sk);
+ sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
+ if (!sk) {
+ rfcomm_dlc_free(d);
return NULL;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 21:19:03 +0000