2568a7e083
The l1oip_cleanup() traverses the l1oip_ilist and calls
release_card() to cleanup module and stack. However,
release_card() calls del_timer() to delete the timers
such as keep_tl and timeout_tl. If the timer handler is
running, the del_timer() will not stop it and result in
UAF bugs. One of the processes is shown below:
(cleanup routine) | (timer handler)
release_card() | l1oip_timeout()
... |
del_timer() | ...
... |
kfree(hc) //FREE |
| hc->timeout_on = 0 //USE
Fix by calling del_timer_sync() in release_card(), which
makes sure the timer handlers have finished before the
resources, such as l1oip and so on, have been deallocated.
What's more, the hc->workq and hc->socket_thread can kick
those timers right back in. We add a bool flag to show
if card is released. Then, check this flag in hc->workq
and hc->socket_thread.
Fixes: 3712b42d4b ("Add layer1 over IP support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
93 lines
2.6 KiB
C
93 lines
2.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* see notice in l1oip.c
|
|
*/
|
|
|
|
/* debugging */
|
|
#define DEBUG_L1OIP_INIT 0x00010000
|
|
#define DEBUG_L1OIP_SOCKET 0x00020000
|
|
#define DEBUG_L1OIP_MGR 0x00040000
|
|
#define DEBUG_L1OIP_MSG 0x00080000
|
|
|
|
/* enable to disorder received bchannels by sequence 2143658798... */
|
|
/*
|
|
#define REORDER_DEBUG
|
|
*/
|
|
|
|
/* frames */
|
|
#define L1OIP_MAX_LEN 2048 /* max packet size form l2 */
|
|
#define L1OIP_MAX_PERFRAME 1400 /* max data size in one frame */
|
|
|
|
|
|
/* timers */
|
|
#define L1OIP_KEEPALIVE 15
|
|
#define L1OIP_TIMEOUT 65
|
|
|
|
|
|
/* socket */
|
|
#define L1OIP_DEFAULTPORT 931
|
|
|
|
|
|
/* channel structure */
|
|
struct l1oip_chan {
|
|
struct dchannel *dch;
|
|
struct bchannel *bch;
|
|
u32 tx_counter; /* counts xmit bytes/packets */
|
|
u32 rx_counter; /* counts recv bytes/packets */
|
|
u32 codecstate; /* used by codec to save data */
|
|
#ifdef REORDER_DEBUG
|
|
int disorder_flag;
|
|
struct sk_buff *disorder_skb;
|
|
u32 disorder_cnt;
|
|
#endif
|
|
};
|
|
|
|
|
|
/* card structure */
|
|
struct l1oip {
|
|
struct list_head list;
|
|
|
|
/* card */
|
|
int registered; /* if registered with mISDN */
|
|
char name[MISDN_MAX_IDLEN];
|
|
int idx; /* card index */
|
|
int pri; /* 1=pri, 0=bri */
|
|
int d_idx; /* current dchannel number */
|
|
int b_num; /* number of bchannels */
|
|
u32 id; /* id of connection */
|
|
int ondemand; /* if transmis. is on demand */
|
|
int bundle; /* bundle channels in one frm */
|
|
int codec; /* codec to use for transmis. */
|
|
int limit; /* limit number of bchannels */
|
|
bool shutdown; /* if card is released */
|
|
|
|
/* timer */
|
|
struct timer_list keep_tl;
|
|
struct timer_list timeout_tl;
|
|
int timeout_on;
|
|
struct work_struct workq;
|
|
|
|
/* socket */
|
|
struct socket *socket; /* if set, socket is created */
|
|
struct completion socket_complete;/* completion of sock thread */
|
|
struct task_struct *socket_thread;
|
|
spinlock_t socket_lock; /* access sock outside thread */
|
|
u32 remoteip; /* if all set, ip is assigned */
|
|
u16 localport; /* must always be set */
|
|
u16 remoteport; /* must always be set */
|
|
struct sockaddr_in sin_local; /* local socket name */
|
|
struct sockaddr_in sin_remote; /* remote socket name */
|
|
struct msghdr sendmsg; /* ip message to send */
|
|
struct kvec sendiov; /* iov for message */
|
|
|
|
/* frame */
|
|
struct l1oip_chan chan[128]; /* channel instances */
|
|
};
|
|
|
|
extern int l1oip_law_to_4bit(u8 *data, int len, u8 *result, u32 *state);
|
|
extern int l1oip_4bit_to_law(u8 *data, int len, u8 *result);
|
|
extern int l1oip_alaw_to_ulaw(u8 *data, int len, u8 *result);
|
|
extern int l1oip_ulaw_to_alaw(u8 *data, int len, u8 *result);
|
|
extern void l1oip_4bit_free(void);
|
|
extern int l1oip_4bit_alloc(int ulaw);
|