Re: use-after-free in sixpack_close
From: One Thousand Gnomes <hidden>
Date: 2015-12-17 11:41:27
Also in:
linux-hams, lkml
From: One Thousand Gnomes <hidden>
Date: 2015-12-17 11:41:27
Also in:
linux-hams, lkml
This report is then followed by a dozen of other use-after-free reports. On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15). Thank you
sixpack_close does unregister_netdev(sp->dev), which frees sp as sp is actually allocated via alloc_netdev() Then deletes two timers within sp Then frees two buffers indexed off sp The mkiss driver also appears to share the same bug and references ax->rbuff/xbuff after they have been freed, and then writes to ax->tty. Alan