diff options
author | Tyler Hicks <tyhicks@canonical.com> | 2018-09-04 15:24:04 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2018-10-03 04:10:07 +0100 |
commit | af8f681e48239817afb290f4e8ee3ca094f513e6 (patch) | |
tree | 9c42e1a95105124a94b042ee9c87a3a077b1671f | |
parent | 35560b4505e40d45ad6a261fce98afa0993cbb6e (diff) |
irda: Fix memory leak caused by repeated binds of irda socket
The irda_bind() function allocates memory for self->ias_obj without
checking to see if the socket is already bound. A userspace process
could repeatedly bind the socket, have each new object added into the
LM-IAS database, and lose the reference to the old object assigned to
the socket to exhaust memory resources. This patch errors out of the
bind operation when self->ias_obj is already assigned.
CVE-2018-6554
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | net/irda/af_irda.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c index a34379892d85..96459b265d09 100644 --- a/net/irda/af_irda.c +++ b/net/irda/af_irda.c @@ -786,6 +786,13 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) return -EINVAL; lock_sock(sk); + + /* Ensure that the socket is not already bound */ + if (self->ias_obj) { + err = -EINVAL; + goto out; + } + #ifdef CONFIG_IRDA_ULTRA /* Special care for Ultra sockets */ if ((sk->sk_type == SOCK_DGRAM) && |