udp: fix possible user after free in error handler [Linux 5.0]

This Linux kernel change "udp: fix possible user after free in error handler" is included in the Linux 5.0 release. This change is authored by Paolo Abeni <pabeni [at] redhat.com> on Thu Feb 21 17:44:00 2019 +0100. The commit for this change in Linux stable tree is 92b9536 (patch).

udp: fix possible user after free in error handler

Similar to the previous commit, this addresses the same issue for
ipv4: use a single fetch operation and use the correct rcu

Fixes: e7cc082455cb ("udp: Support for error handlers of tunnels with arbitrary destination port")
Signed-off-by: Paolo Abeni <[email protected]>
Acked-by: Stefano Brivio <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/ipv4/udp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 5c3cd5d..372fdc5 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -562,10 +562,12 @@ static int __udp4_lib_err_encap_no_sk(struct sk_buff *skb, u32 info)

    for (i = 0; i < MAX_IPTUN_ENCAP_OPS; i++) {
        int (*handler)(struct sk_buff *skb, u32 info);
+       const struct ip_tunnel_encap_ops *encap;

-       if (!iptun_encaps[i])
+       encap = rcu_dereference(iptun_encaps[i]);
+       if (!encap)
-       handler = rcu_dereference(iptun_encaps[i]->err_handler);
+       handler = encap->err_handler;
        if (handler && !handler(skb, info))
            return 0;

Leave a Reply

Your email address will not be published. Required fields are marked *