UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket

When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and
dccps_hc_tx_ccid are copied. When CCID features are activated on the child
socket, the CCID objects are freed, leaving the parent socket with dangling
pointers.

During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the
parent objects are not freed.

Reported-by: Hadar Manor
CVE-2020-16119
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index c5c74a34d139d99fb58dc5cebe4d6a8d72a214ed..317cf9a25c236f2c262a0646de603f4231ddfaac 100644 (file)
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -93,6 +93,8 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
 
                newdp->dccps_role           = DCCP_ROLE_SERVER;
                newdp->dccps_hc_rx_ackvec   = NULL;
+               newdp->dccps_hc_rx_ccid = NULL;
+               newdp->dccps_hc_tx_ccid = NULL;
                newdp->dccps_service_list   = NULL;
                newdp->dccps_service        = dreq->dreq_service;
                newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;