Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2662372imj; Mon, 11 Feb 2019 06:39:21 -0800 (PST) X-Google-Smtp-Source: AHgI3IY7X7INPdMMRYfJvcx2kqQAE2zsv+NTw9QPjzl/IM0T7v4yHbwh/ACSNH71mlO70dJ6bq4o X-Received: by 2002:a62:2e46:: with SMTP id u67mr36382469pfu.3.1549895961391; Mon, 11 Feb 2019 06:39:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549895961; cv=none; d=google.com; s=arc-20160816; b=I8U+/aVmY6zmkLZlo53qZ6eFuXund7BNrq1cYdXAfYRIrw7vUUhF8yRk8P2+PcAGIv qOOE5Kfi0YAv7kHYLKJwwipaoe6wNc5TpqIBun74tcLPHezU+kztLFUQ+fXddjvdEdA/ DrbYFYKFK5ccSTfa5RJAGFvl8J3v2wCF/mKDMRzQzdnlboEk5KGtzNdqqIbInMKULi0V rfHbeGaTi/g42ffGNTpDA/mlLF1dE1Q68PiVf+MTsc1qKxVeBBYb260AVugp5LC6a1lU HVdOdlxbcpH8djC+eeDy8d65n/elX144j+IceuNmqJonv0vAg6YjLpKihq46yHJTZO56 yc1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NmwCVNGpRaknCgSgCFRLPJZG9w7is6dXr5wGb4xD4b8=; b=D51H4LQfAM23Tog1sYuZObsCVlULWKlEVXTXjRRIkMRuBAvJaAfg6C1Iqwjm1rb19E BqrBSxR6Wkfbp3n81mm3m9SWTWeCw8Jt9QkFNzdQfERIPnfqb3VpaRjR5yPgO00EtcAR PR4nrGOWEw5Ktiy5E286yOlXTVlaOVTplg8s1CN0F9O6DBpE3y4YFy7M54mAfNu1SVv9 /6J1Sy2DAlJaDOtAxrkE+/h7uySt9VK9aaMiBPxNSjotdr4GG25Lje8c3414ddSQsKOf tJ2aaCNwL6l+v+oGJP3AeXZtpmrQVn9f66QEOBvp03dK1alJ9zLU66DUeQfL7Fp3Nt4J AhVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wGGxwqWJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j1si9732474pff.42.2019.02.11.06.39.04; Mon, 11 Feb 2019 06:39:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wGGxwqWJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731509AbfBKOhn (ORCPT + 99 others); Mon, 11 Feb 2019 09:37:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:47094 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731495AbfBKOhj (ORCPT ); Mon, 11 Feb 2019 09:37:39 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DD7D320700; Mon, 11 Feb 2019 14:37:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549895858; bh=TBpa5vMs0JrmUz3dafruZ0iVtKGSvh7JN5xZDGADmwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wGGxwqWJvpXHSnQPmJ8Up9oSs2SKkTgvlMQTR1YsXuklxHPoq9o+HYZLAudz6nSmL I+Tq9KrHJBEG8boRJXu8T0at97lgxgFyTvb9JovVKTObNn5YaC+bEeLFTAnuyFYqwj jvcs52MXMbRYXywv29m1XyDUZRivSAnMon6rzl+Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Secunia Research , Marcelo Ricardo Leitner , Neil Horman , "David S. Miller" Subject: [PATCH 4.20 305/352] sctp: walk the list of asoc safely Date: Mon, 11 Feb 2019 15:18:52 +0100 Message-Id: <20190211141906.269528538@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190211141846.543045703@linuxfoundation.org> References: <20190211141846.543045703@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Kroah-Hartman [ Upstream commit ba59fb0273076637f0add4311faa990a5eec27c0 ] In sctp_sendmesg(), when walking the list of endpoint associations, the association can be dropped from the list, making the list corrupt. Properly handle this by using list_for_each_entry_safe() Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") Reported-by: Secunia Research Tested-by: Secunia Research Signed-off-by: Greg Kroah-Hartman Acked-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -2027,7 +2027,7 @@ static int sctp_sendmsg(struct sock *sk, struct sctp_endpoint *ep = sctp_sk(sk)->ep; struct sctp_transport *transport = NULL; struct sctp_sndrcvinfo _sinfo, *sinfo; - struct sctp_association *asoc; + struct sctp_association *asoc, *tmp; struct sctp_cmsgs cmsgs; union sctp_addr *daddr; bool new = false; @@ -2053,7 +2053,7 @@ static int sctp_sendmsg(struct sock *sk, /* SCTP_SENDALL process */ if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { - list_for_each_entry(asoc, &ep->asocs, asocs) { + list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) { err = sctp_sendmsg_check_sflags(asoc, sflags, msg, msg_len); if (err == 0)