| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Nov 2007 20:42:38 +0100
From: Eric Dumazet <dada1@...mosbay.com>
To: Pavel Emelyanov <xemul@...nvz.org>
Cc: David Miller <davem@...emloft.net>,
Linux Netdev List <netdev@...r.kernel.org>, devel@...nvz.org
Subject: Re: [PATCH 1/2][INET] Fix potential kfree on vmalloc-ed area of
request_sock_queue
On Wed, 14 Nov 2007 21:08:29 +0300
Pavel Emelyanov <xemul@...nvz.org> wrote:
> The request_sock_queue's listen_opt is either vmalloc-ed or
> kmalloc-ed depending on the number of table entries. Thus it
> is expected to be handled properly on free, which is done in
> the reqsk_queue_destroy().
>
> However the error path in inet_csk_listen_start() calls
> the lite version of reqsk_queue_destroy, called
> __reqsk_queue_destroy, which calls the kfree unconditionally.
>
> Fix this and move the __reqsk_queue_destroy into a .c file as
> it looks too big to be inline.
>
> Signed-off-by: Pavel Emelyanov <xemul@...nvz.org>
>
> ---
>
> +void __reqsk_queue_destroy(struct request_sock_queue *queue)
> +{
> + struct listen_sock *lopt = reqsk_queue_yank_listen_sk(queue);
WARNING : lopt can be NULL here (or else the locking in reqsk_queue_yank_listen_sk() would be useless ?)
kfree(NULL) was ok, not NULL->nr_table_entries :)
> + size_t lopt_size = sizeof(struct listen_sock) +
> + lopt->nr_table_entries * sizeof(struct request_sock *);
> +
> + if (lopt_size > PAGE_SIZE)
> + vfree(lopt);
> + else
> + kfree(lopt);
> +}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists