| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Nov 2018 12:39:55 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: lucien.xin@...il.com
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
marcelo.leitner@...il.com, nhorman@...driver.com
Subject: Re: [PATCH net] sctp: count sk_wmem_alloc by skb truesize in
sctp_packet_transmit
From: Xin Long <lucien.xin@...il.com>
Date: Sun, 18 Nov 2018 15:07:38 +0800
> Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the
> skb allocked in sctp_packet_transmit and decreases by 1 when freeing
> this skb.
>
> But when this skb goes through networking stack, some subcomponents
> might change skb->truesize and add the same amount on sk_wmem_alloc.
> However sctp doesn't know the amount to decrease by, it would cause
> a leak on sk->sk_wmem_alloc and the sock can never be freed.
>
> Xiumei found this issue when it hit esp_output_head() by using sctp
> over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc.
>
> Since sctp has used sk_wmem_queued to count for writable space since
> Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable
> space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize
> in sctp_packet_transmit.
>
> Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
> Reported-by: Xiumei Mu <xmu@...hat.com>
> Signed-off-by: Xin Long <lucien.xin@...il.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists