Re: [PATCH v2 3/3] pppoatm: protect against freeing of vcc

From: David Woodhouse
Date: Tue Nov 27 2012 - 12:16:28 EST


Krzysztof, you've fixed a bunch of races... but I think there's one
still left.

An ATM driver will often have code like this, which gets called from
arbitrary contexts:
if (vcc->pop)
vcc->pop(vcc, skb);

Now, what happens if pppoatm_send(vcc, NULL) happens after the address
of vcc->pop (currently pppoatm_pop) has been loaded, but before the
function is actually called?

You tear down all the setup and set vcc->user_back to NULL. And then
pppoatm_pop() gets called. And promptly crashes because pvcc is NULL.

A lot of these problems exist for br2684 too, and in prodding at it a
little I can consistently crash the system by sending a flood of
outbound packets while I kill the br2684ctl program. I end up in
br2684_pop() with vcc->user_back == NULL. In looking to see how you'd
fixed that in pppoatm, I realised that you haven't... :)

--
dwmw2

Attachment: smime.p7s
Description: S/MIME cryptographic signature