From f7e5cc0c40dff92bad2894153f675c6c542ba2f0 Mon Sep 17 00:00:00 2001
From: Lothar Waßmann <LW@KARO-electronics.de>
Date: Tue, 14 Jul 2009 23:10:21 +0000
Subject: net/can bugfix: use after free bug in can protocol drivers

Fix a use after free bug in can protocol drivers

The release functions of the can protocol drivers lack a call to
sock_orphan() which leads to referencing freed memory under certain
circumstances.

This patch fixes a bug reported here:
https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html

Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de>
Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/can/bcm.c | 3 +++
 net/can/raw.c | 3 +++
 2 files changed, 6 insertions(+)

(limited to 'net')

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 95d7f32643ae..1d17e41b892d 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1469,6 +1469,9 @@ static int bcm_release(struct socket *sock)
 		bo->ifindex = 0;
 	}
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);
 
diff --git a/net/can/raw.c b/net/can/raw.c
index 6aa154e806ae..3482546e8884 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -306,6 +306,9 @@ static int raw_release(struct socket *sock)
 	ro->bound   = 0;
 	ro->count   = 0;
 
+	sock_orphan(sk);
+	sock->sk = NULL;
+
 	release_sock(sk);
 	sock_put(sk);
 
-- 
cgit v1.2.3