| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 May 2019 07:49:58 -0400
From: Eric Dumazet <edumazet@...gle.com>
To: Stefan Bader <stefan.bader@...onical.com>,
Peter Oskolkov <posk@...gle.com>
Cc: netdev <netdev@...r.kernel.org>,
Ben Hutchings <ben.hutchings@...ethink.co.uk>
Subject: Re: Possible refcount bug in ip6_expire_frag_queue()?
On Fri, May 3, 2019 at 7:17 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Fri, May 3, 2019 at 7:12 AM Eric Dumazet <edumazet@...gle.com> wrote:
> >
> > I will send the following fix
> >
> > diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
> > index 28aa9b30aeceac9a86ee6754e4b5809be115e947..d3152811b8962705a508b3fd31d2157dd19ae8e5
> > 100644
> > --- a/include/net/ipv6_frag.h
> > +++ b/include/net/ipv6_frag.h
> > @@ -94,11 +94,9 @@ ip6frag_expire_frag_queue(struct net *net, struct
> > frag_queue *fq)
> > goto out;
> >
> > head->dev = dev;
> > - skb_get(head);
> > spin_unlock(&fq->q.lock);
> >
> > icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
> > - kfree_skb(head);
>
> Oh well, we want to keep the kfree_skb() of course.
>
> Only the skb_get(head) needs to be removed (this would fix memory leak
> I presume... :/ )
Official submission :
https://patchwork.ozlabs.org/patch/1094854/ ip6: fix skb leak in
ip6frag_expire_frag_queue()
Thanks a lot Stefan for bringing up this issue to our attention !
Powered by blists - more mailing lists