| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <052c350a-5076-283b-9679-eec21a827b54@canonical.com>
Date: Fri, 3 May 2019 14:07:00 +0200
From: Stefan Bader <stefan.bader@...onical.com>
To: Eric Dumazet <edumazet@...gle.com>,
Peter Oskolkov <posk@...gle.com>
Cc: netdev <netdev@...r.kernel.org>,
Ben Hutchings <ben.hutchings@...ethink.co.uk>
Subject: Re: Possible refcount bug in ip6_expire_frag_queue()?
On 03.05.19 13:49, Eric Dumazet wrote:
> On Fri, May 3, 2019 at 7:17 AM Eric Dumazet <edumazet@...gle.com> wrote:
>>
>> On Fri, May 3, 2019 at 7:12 AM Eric Dumazet <edumazet@...gle.com> wrote:
>>>
>
>>> I will send the following fix
>>>
>>> diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
>>> index 28aa9b30aeceac9a86ee6754e4b5809be115e947..d3152811b8962705a508b3fd31d2157dd19ae8e5
>>> 100644
>>> --- a/include/net/ipv6_frag.h
>>> +++ b/include/net/ipv6_frag.h
>>> @@ -94,11 +94,9 @@ ip6frag_expire_frag_queue(struct net *net, struct
>>> frag_queue *fq)
>>> goto out;
>>>
>>> head->dev = dev;
>>> - skb_get(head);
>>> spin_unlock(&fq->q.lock);
>>>
>>> icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
>>> - kfree_skb(head);
>>
>> Oh well, we want to keep the kfree_skb() of course.
>>
>> Only the skb_get(head) needs to be removed (this would fix memory leak
>> I presume... :/ )
>
> Official submission :
>
> https://patchwork.ozlabs.org/patch/1094854/ ip6: fix skb leak in
> ip6frag_expire_frag_queue()
>
> Thanks a lot Stefan for bringing up this issue to our attention !
>
Thank you Eric for the quick response.
-Stefan
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists