| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20071115102101.c1b928b7.dada1@cosmosbay.com> Date: Thu, 15 Nov 2007 10:21:01 +0100 From: Eric Dumazet <dada1@...mosbay.com> To: Pavel Emelyanov <xemul@...nvz.org> Cc: David Miller <davem@...emloft.net>, Linux Netdev List <netdev@...r.kernel.org>, devel@...nvz.org Subject: Re: [PATCH 1/2][INET] (resend) Fix potential kfree on vmalloc-ed area of request_sock_queue On Thu, 15 Nov 2007 11:41:37 +0300 Pavel Emelyanov <xemul@...nvz.org> wrote: > The request_sock_queue's listen_opt is either vmalloc-ed or > kmalloc-ed depending on the number of table entries. Thus it > is expected to be handled properly on free, which is done in > the reqsk_queue_destroy(). > > However the error path in inet_csk_listen_start() calls > the lite version of reqsk_queue_destroy, called > __reqsk_queue_destroy, which calls the kfree unconditionally. > > Fix this and move the __reqsk_queue_destroy into a .c file as > it looks too big to be inline. > > As David also noticed, this is an error recovery path only, > so no locking is required and the lopt is known to be not NULL. > > Signed-off-by: Pavel Emelyanov <xemul@...nvz.org> > Acked-by: Eric Dumazet <dada1@...mosbay.com> Thank you for finding this bug Pavel - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists