lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070528231524.GA17298@atjola.homenet>
Date:	Tue, 29 May 2007 01:15:24 +0200
From:	Björn Steinbrink <B.Steinbrink@....de>
To:	Jesper Juhl <jesper.juhl@...il.com>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Per Linden <per.liden@...csson.com>,
	Jon Maloy <jon.maloy@...csson.com>,
	Allan Stephens <allan.stephens@...driver.com>,
	tipc-discussion@...ts.sourceforge.net
Subject: Re: [PATCH] Fix potential memory leak in tipc_named_node_up()

On 2007.05.28 22:58:08 +0200, Jesper Juhl wrote:
> There seems to be a memory leak in net/tipc/name_distr.c::tipc_named_node_up()
> 
> The function, with comments, is this :
> 
> void tipc_named_node_up(unsigned long node)
> {
>         struct publication *publ;
>         struct distr_item *item = NULL;
>         struct sk_buff *buf = NULL;
>         u32 left = 0;
>         u32 rest;
>         u32 max_item_buf;
> 
>         read_lock_bh(&tipc_nametbl_lock);
>         max_item_buf = TIPC_MAX_USER_MSG_SIZE / ITEM_SIZE;
>         max_item_buf *= ITEM_SIZE;
>         rest = publ_cnt * ITEM_SIZE;
> 
>         list_for_each_entry(publ, &publ_root, local_list) {
> -----> If we stop processing here after doing 1, 2 & 3 below we end up at (4) (below).
>                 if (!buf) {
>                         left = (rest <= max_item_buf) ? rest : max_item_buf;
>                         rest -= left;
>                         buf = named_prepare_buf(PUBLICATION, left, node);
> -----> (1) here we allocate memory and store a pointer to it in 'buf'.
> 
>                         if (!buf) {
> -----> (2) This test needs to fail, meaning we did allocate some memory.
>                                 warn("Bulk publication distribution failure\n");
>                                 goto exit;
>                         }
>                         item = (struct distr_item *)msg_data(buf_msg(buf));
>                 }
>                 publ_to_item(item, publ);
>                 item++;
>                 left -= ITEM_SIZE;
>                 if (!left) {
> -----> (3) If this test fails we loop and do nothing to 'buf'.
>                         msg_set_link_selector(buf_msg(buf), node);
>                         dbg("tipc_named_node_up: sending publish msg to "
>                             "<%u.%u.%u>\n", tipc_zone(node),
>                             tipc_cluster(node), tipc_node(node));
>                         tipc_link_send(buf, node, node);
>                         buf = NULL;
>                 }
>         }
> exit:
>         read_unlock_bh(&tipc_nametbl_lock);
> -----> (4) here we return without freeing 'buf' - memory leak.
> }
> 
> Luckily this is easy to fix, since we can only leave the function with 'buf'
> either set to NULL or (in the leak case) set to a valid address, and since 
> kfree() handles being passed NULL gracefully we can simply kfree(buf) just 
> before we leave the function.

Actually, I don't think that there's a leak.

publ_cnt: Number of items in the list

rest = publ_cnt * ITEM_SIZE
max_item_buf = n * ITEM_SIZE (Buffer can hold n elements at most)

1)
If publ_cnt <= n, "rest" becomes 0 and "left" becomes publ_cnt * ITEM_SIZE,
so for the last iteration "left" becomes 0 and "buf" is freed.

2)
And if publ_cnt > n, "left" becomes 0 in the nth iteration. As "rest"
already got decrement by n * ITEM_SIZE, you now got:
rest = (publ_cnt - n) * ITEM_SIZE
Then after 2*n iterations:
rest = (publ_cnt - 2*n) * ITEM_SIZE
and so on, until publ_cnt - m*n < n

At that point, "left" becomes (publ_cnt - m*n) * ITEM_SIZE, and there are
also (publ_cnt - m*n) iterations left, so "left" again becomes 0 in the
last iteration and "buf" is freed.


Besides that, is it valid to call kfree() on a buffer allocated by
alloc_skb()?

Thanks,
Björn
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ