lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Oct 2014 10:56:47 +0400 From: Vasily Averin <vvs@...allels.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Patrick McHardy <kaber@...sh.net> Subject: Re: [PATCH v2] ipv4: dst_entry leak in ip_append_data() On 15.10.2014 08:46, Eric Dumazet wrote: > On Tue, 2014-10-14 at 08:57 +0400, Vasily Averin wrote: >> v2: adjust the indentation of the arguments __ip_append_data() call >> >> Fixes: 2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()") >> >> If sk_write_queue is empty ip_append_data() executes ip_setup_cork() >> that "steals" dst entry from rt to cork. Later it calls __ip_append_data() >> that creates skb and adds it to sk_write_queue. >> >> If skb was added successfully following ip_push_pending_frames() call >> reassign dst entries from cork to skb, and kfree_skb frees dst_entry. >> >> However nobody frees stolen dst_entry if skb was not added into sk_write_queue. > > I thought this was done by ip_flush_pending_frames() ? Take look at ip_send_unicast_reply(): ip_flush_pending_frames() is not called if skb was not added to sk_write_queue. And ip_rt_put() does not work, because dst entry was stolen in ip_setup_cork(). Probably it can happen in raw_sendmsg() and udp_sendmsg() too. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists