superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/netrom
History
Jeongjun Park ba1096c315 netrom: fix double-free in nr_route_frame() 
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.

Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-01-20 19:15:40 -08:00
..
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
af_netrom.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
nr_dev.c netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser 2024-03-07 10:36:58 +01:00
nr_in.c netrom: Fix data-races around sysctl_net_busy_read 2024-03-07 10:36:58 +01:00
nr_loopback.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
nr_out.c netrom: Fix memory leak in nr_sendmsg() 2025-12-04 11:01:17 +01:00
nr_route.c netrom: fix double-free in nr_route_frame() 2026-01-20 19:15:40 -08:00
nr_subr.c netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser 2024-03-07 10:36:58 +01:00
nr_timer.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
sysctl_net_netrom.c net: Remove ctl_table sentinel elements from several networking subsystems 2024-05-03 13:29:42 +01:00