| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Oct 2014 17:07:56 +0200
From: Stephen Hemminger <stephen@...workplumber.org>
To: Andy Grover <andy.grover@...cle.com>
Cc: netdev@...r.kernel.org
Subject: Fw: [Bug 86081] New: Can't free the return value of sock_kmalloc()
when the value is NULL
Begin forwarded message:
Date: Sun, 12 Oct 2014 01:26:47 -0700
From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>
To: "stephen@...workplumber.org" <stephen@...workplumber.org>
Subject: [Bug 86081] New: Can't free the return value of sock_kmalloc() when the value is NULL
https://bugzilla.kernel.org/show_bug.cgi?id=86081
Bug ID: 86081
Summary: Can't free the return value of sock_kmalloc() when the
value is NULL
Product: Networking
Version: 2.5
Kernel Version: 3.14
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: shemminger@...ux-foundation.org
Reporter: rucsoftsec@...il.com
Regression: No
in function rds_cmsg_rdma_args() at net/rds/rdma.c:L546, the variable
"iovstack" is an array and the pointer variable *iovs is equal to iovstack (at
Line 554). As the the return value of sock_kmalloc() (called at line 578),when
"iovs" is NULL, function sock_kfree_s() will be called(at line 697) and
function sock_kfree_s() will free "iovs".
The related code snippets in function rds_cmsg_rdma_args() are as followings.
rds_cmsg_rdma_args() at net/rds/rdma.c:L546
546 int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
547 struct cmsghdr *cmsg)
548 {
549 struct rds_rdma_args *args;
550 struct rm_rdma_op *op = &rm->rdma;
551 int nr_pages;
552 unsigned int nr_bytes;
553 struct page **pages = NULL;
554 struct rds_iovec iovstack[UIO_FASTIOV], *iovs = iovstack;
...
576 iov_size = args->nr_local * sizeof(struct rds_iovec);
577 if (args->nr_local > UIO_FASTIOV) {
578 iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size,
GFP_KERNEL);
579 if (!iovs) {
580 ret = -ENOMEM;
581 goto out;
582 }
583 }
...
695 out:
696 if (iovs != iovstack)
697 sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
698 kfree(pages);
699 if (ret)
700 rds_rdma_free_op(op);
701 else
702 rds_stats_inc(s_send_rdma);
703
704 return ret;
705 }
Thak you!
RUC_Soft_Sec, supported by China.X.Orion
--
You are receiving this mail because:
You are the assignee for the bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists