Alexey Kodanev 67f93df79a dccp: check sk for closed state in dccp_sendmsg() ... dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL, therefore if DCCP socket is disconnected and dccp_sendmsg() is called after it, it will cause a NULL pointer dereference in dccp_write_xmit(). This crash and the reproducer was reported by syzbot. Looks like it is reproduced if commit 69c64866ce ("dccp: CVE-2017-8824: use-after-free in DCCP code") is applied. Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2018-03-07 13:38:56 -05:00
..
ccids	dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state	2018-01-26 11:15:00 -05:00
ackvec.c	net: dccp: drop unneeded newline	2018-01-02 13:49:32 -05:00
ackvec.h
ccid.c
ccid.h
dccp.h	net: annotate ->poll() instances	2017-11-27 16:20:04 -05:00
diag.c
feat.c	dccp: fix a memleak for dccp_feat_init err process	2017-07-27 00:01:05 -07:00
feat.h
input.c	net: dccp: mark expected switch fall-throughs	2017-10-16 21:15:21 +01:00
ipv4.c	tcp/dccp: fix other lockdep splats accessing ireq_opt	2017-10-26 17:41:32 +09:00
ipv6.c	net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()	2017-08-31 11:43:47 -07:00
ipv6.h
Kconfig	net: dccp: Remove dccpprobe module	2018-01-02 14:27:30 -05:00
Makefile	net: dccp: Remove dccpprobe module	2018-01-02 14:27:30 -05:00
minisocks.c	tcp/dccp: avoid one atomic operation for timewait hashdance	2017-12-13 14:33:10 -05:00
options.c	net: dccp: mark expected switch fall-throughs	2017-10-16 21:15:21 +01:00
output.c
proto.c	dccp: check sk for closed state in dccp_sendmsg()	2018-03-07 13:38:56 -05:00
qpolicy.c
sysctl.c
timer.c	net: dccp: Convert timers to use timer_setup()	2017-10-25 12:59:19 +09:00
trace.h	net: dccp: Add DCCP sendmsg trace event	2018-01-02 14:27:30 -05:00