| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 May 2007 22:58:08 +0200
From: Jesper Juhl <jesper.juhl@...il.com>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc: Per Linden <per.liden@...csson.com>,
Jon Maloy <jon.maloy@...csson.com>,
Allan Stephens <allan.stephens@...driver.com>,
tipc-discussion@...ts.sourceforge.net,
Jesper Juhl <jesper.juhl@...il.com>
Subject: [PATCH] Fix potential memory leak in tipc_named_node_up()
There seems to be a memory leak in net/tipc/name_distr.c::tipc_named_node_up()
The function, with comments, is this :
void tipc_named_node_up(unsigned long node)
{
struct publication *publ;
struct distr_item *item = NULL;
struct sk_buff *buf = NULL;
u32 left = 0;
u32 rest;
u32 max_item_buf;
read_lock_bh(&tipc_nametbl_lock);
max_item_buf = TIPC_MAX_USER_MSG_SIZE / ITEM_SIZE;
max_item_buf *= ITEM_SIZE;
rest = publ_cnt * ITEM_SIZE;
list_for_each_entry(publ, &publ_root, local_list) {
-----> If we stop processing here after doing 1, 2 & 3 below we end up at (4) (below).
if (!buf) {
left = (rest <= max_item_buf) ? rest : max_item_buf;
rest -= left;
buf = named_prepare_buf(PUBLICATION, left, node);
-----> (1) here we allocate memory and store a pointer to it in 'buf'.
if (!buf) {
-----> (2) This test needs to fail, meaning we did allocate some memory.
warn("Bulk publication distribution failure\n");
goto exit;
}
item = (struct distr_item *)msg_data(buf_msg(buf));
}
publ_to_item(item, publ);
item++;
left -= ITEM_SIZE;
if (!left) {
-----> (3) If this test fails we loop and do nothing to 'buf'.
msg_set_link_selector(buf_msg(buf), node);
dbg("tipc_named_node_up: sending publish msg to "
"<%u.%u.%u>\n", tipc_zone(node),
tipc_cluster(node), tipc_node(node));
tipc_link_send(buf, node, node);
buf = NULL;
}
}
exit:
read_unlock_bh(&tipc_nametbl_lock);
-----> (4) here we return without freeing 'buf' - memory leak.
}
Luckily this is easy to fix, since we can only leave the function with 'buf'
either set to NULL or (in the leak case) set to a valid address, and since
kfree() handles being passed NULL gracefully we can simply kfree(buf) just
before we leave the function.
The patch below frees 'buf' before leaving the function, thus avoiding the
potential leak.
Fix a potential memory leak in tipc_named_node_up()
Signed-off-by: Jesper Juhl <jesper.juhl@...il.com>
---
net/tipc/name_distr.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 39fd161..228ccfe 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -204,6 +204,7 @@ void tipc_named_node_up(unsigned long node)
}
exit:
read_unlock_bh(&tipc_nametbl_lock);
+ kfree(buf);
}
/**
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists