WSL2-Linux-Kernel/net/can
Norbert Slusarek 2b17c400ae can: isotp: prevent race between isotp_bind() and isotp_setsockopt()
A race condition was found in isotp_setsockopt() which allows to
change socket options after the socket was bound.
For the specific case of SF_BROADCAST support, this might lead to possible
use-after-free because can_rx_unregister() is not called.

Checking for the flag under the socket lock in isotp_bind() and taking
the lock in isotp_setsockopt() fixes the issue.

Fixes: 921ca574cd ("can: isotp: add SF_BROADCAST support for functional addressing")
Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-1620773528307@3c-app-gmx-bs06
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2021-05-12 08:52:47 +02:00
..
j1939 net: introduce CAN specific pointer in the struct net_device 2021-02-24 14:32:15 -08:00
Kconfig net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
Makefile can: add ISO 15765-2:2016 transport protocol 2020-10-07 23:18:33 +02:00
af_can.c net: introduce CAN specific pointer in the struct net_device 2021-02-24 14:32:15 -08:00
af_can.h can: introduce CAN midlayer private and allocate it automatically 2019-09-04 13:29:14 +02:00
bcm.c can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE 2021-03-29 09:51:20 +02:00
gw.c can: gw: fix typo 2021-01-27 10:01:46 +01:00
isotp.c can: isotp: prevent race between isotp_bind() and isotp_setsockopt() 2021-05-12 08:52:47 +02:00
proc.c can: proc: fix rcvlist_* header alignment on 64-bit system 2021-04-25 19:43:00 +02:00
raw.c can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE 2021-03-29 09:51:20 +02:00