superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/rose
History
Pwnverse 6595beb40f net: rose: fix invalid array index in rose_kill_by_device() 
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.

The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().

Fix the index to use i.

Fixes: 64b8bc7d5f ("net/rose: fix races in rose_kill_by_device()")
Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Pwnverse <stanksal@purdue.edu>
Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 		2025-12-30 11:45:51 +01:00
..
Makefile
af_rose.c net: rose: fix invalid array index in rose_kill_by_device() 2025-12-30 11:45:51 +01:00
rose_dev.c rose: constify dev_addr passing 2021-10-13 09:40:45 -07:00
rose_in.c net: rose: convert 'use' field to refcount_t 2025-08-27 07:43:08 -07:00
rose_link.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
rose_loopback.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
rose_out.c
rose_route.c net: rose: fix a typo in rose_clear_routes() 2025-08-27 17:27:52 -07:00
rose_subr.c
rose_timer.c net: rose: convert 'use' field to refcount_t 2025-08-27 07:43:08 -07:00
sysctl_net_rose.c net: Remove ctl_table sentinel elements from several networking subsystems 2024-05-03 13:29:42 +01:00