Commit 9950f095 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz
Browse files

Bluetooth: ISO: Fix possible UAF on iso_conn_free 



This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.

Fixes: ccf74f23 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent ecb9a843

net/bluetooth/iso.c

+7 −0
Original line number Diff line number Diff line
@@ -761,6 +761,13 @@ static void iso_sock_kill(struct sock *sk) 


	BT_DBG("sk %p state %d", sk, sk->sk_state);



	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */

	if (iso_pi(sk)->conn) {

		iso_conn_lock(iso_pi(sk)->conn);

		iso_pi(sk)->conn->sk = NULL;

		iso_conn_unlock(iso_pi(sk)->conn);

	}



	/* Kill poor orphan */

	bt_sock_unlink(&iso_sk_list, sk);

	sock_set_flag(sk, SOCK_DEAD);