Headline
CVE-2017-15115: [net] sctp: do not peel off an assoc from one netns to another one
The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.
Message ID
e637d68ce6f4f94dce8cb30c647e672ebb1f0b7b.1508253970.git.lucien.xin@gmail.com
State
Accepted, archived
Delegated to:
David Miller
Headers
show
Series
[net] sctp: do not peel off an assoc from one netns to another one | expand
Commit Message****Comments
Patch
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index d4730ad…17841ab 100644 — a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) struct socket *sock; int err = 0;
- /* Do not peel off from one netns to another one. */
- if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
return -EINVAL;
- if (!asoc) return -EINVAL;