[PATCH] Fix use-after-free in tun/tap driver

Luca Barbieri (lb@lb.ods.org)
14 Jun 2003 14:02:35 +0200


unregister_netdevice works asynchronously so freeing the device
structure immediately after calling it is not a good idea.

The memory should instead be freed in the net_device destructor, and the
patch does this.

--- linux-2.5.70/drivers/net/tun.c~ 2003-05-27 03:00:39.000000000 +0200
+++ linux-2.5.70/drivers/net/tun.c 2003-06-14 11:27:09.000000000 +0200
@@ -115,6 +115,11 @@ static struct net_device_stats *tun_net_
return &tun->stats;
}

+void tun_net_destroy(struct net_device *dev)
+{
+ kfree((char*)dev - offsetof(struct tun_struct, dev));
+}
+
/* Initialize net device. */
int tun_net_init(struct net_device *dev)
{
@@ -127,6 +132,7 @@ int tun_net_init(struct net_device *dev)
dev->hard_start_xmit = tun_net_xmit;
dev->stop = tun_net_close;
dev->get_stats = tun_net_stats;
+ dev->destructor = tun_net_destroy;

switch (tun->flags & TUN_TYPE_MASK) {
case TUN_TUN_DEV:
@@ -551,7 +557,6 @@ static int tun_chr_close(struct inode *i
if (!(tun->flags & TUN_PERSIST)) {
dev_close(&tun->dev);
unregister_netdevice(&tun->dev);
- kfree(tun);
}

rtnl_unlock();

-- 
Luca Barbieri <lb@lb.ods.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/