lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 3 May 2019 07:49:58 -0400
From:   Eric Dumazet <edumazet@...gle.com>
To:     Stefan Bader <stefan.bader@...onical.com>,
        Peter Oskolkov <posk@...gle.com>
Cc:     netdev <netdev@...r.kernel.org>,
        Ben Hutchings <ben.hutchings@...ethink.co.uk>
Subject: Re: Possible refcount bug in ip6_expire_frag_queue()?

On Fri, May 3, 2019 at 7:17 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Fri, May 3, 2019 at 7:12 AM Eric Dumazet <edumazet@...gle.com> wrote:
> >

> > I will send the following fix
> >
> > diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
> > index 28aa9b30aeceac9a86ee6754e4b5809be115e947..d3152811b8962705a508b3fd31d2157dd19ae8e5
> > 100644
> > --- a/include/net/ipv6_frag.h
> > +++ b/include/net/ipv6_frag.h
> > @@ -94,11 +94,9 @@ ip6frag_expire_frag_queue(struct net *net, struct
> > frag_queue *fq)
> >                 goto out;
> >
> >         head->dev = dev;
> > -       skb_get(head);
> >         spin_unlock(&fq->q.lock);
> >
> >         icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
> > -       kfree_skb(head);
>
> Oh well, we want to keep the kfree_skb() of course.
>
> Only the skb_get(head) needs to be removed (this would fix memory leak
> I presume...  :/ )

Official submission :

https://patchwork.ozlabs.org/patch/1094854/ ip6: fix skb leak in
ip6frag_expire_frag_queue()

Thanks a lot Stefan for bringing up this issue to our attention !

Powered by blists - more mailing lists