Thread (7 messages) 7 messages, 4 authors, 2015-12-18

Re: use-after-free in sixpack_close

From: One Thousand Gnomes <hidden>
Date: 2015-12-17 11:41:27
Also in: linux-hams, lkml

This report is then followed by a dozen of other use-after-free reports.

On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).

Thank you
sixpack_close does unregister_netdev(sp->dev), which frees sp as sp is
actually allocated via alloc_netdev()

Then deletes two timers within sp

Then frees two buffers indexed off sp

The mkiss driver also appears to share the same bug and references
ax->rbuff/xbuff after they have been freed, and then writes to ax->tty.


Alan


Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help