lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 3 May 2019 14:07:00 +0200
From:   Stefan Bader <stefan.bader@...onical.com>
To:     Eric Dumazet <edumazet@...gle.com>,
        Peter Oskolkov <posk@...gle.com>
Cc:     netdev <netdev@...r.kernel.org>,
        Ben Hutchings <ben.hutchings@...ethink.co.uk>
Subject: Re: Possible refcount bug in ip6_expire_frag_queue()?

On 03.05.19 13:49, Eric Dumazet wrote:
> On Fri, May 3, 2019 at 7:17 AM Eric Dumazet <edumazet@...gle.com> wrote:
>>
>> On Fri, May 3, 2019 at 7:12 AM Eric Dumazet <edumazet@...gle.com> wrote:
>>>
> 
>>> I will send the following fix
>>>
>>> diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
>>> index 28aa9b30aeceac9a86ee6754e4b5809be115e947..d3152811b8962705a508b3fd31d2157dd19ae8e5
>>> 100644
>>> --- a/include/net/ipv6_frag.h
>>> +++ b/include/net/ipv6_frag.h
>>> @@ -94,11 +94,9 @@ ip6frag_expire_frag_queue(struct net *net, struct
>>> frag_queue *fq)
>>>                 goto out;
>>>
>>>         head->dev = dev;
>>> -       skb_get(head);
>>>         spin_unlock(&fq->q.lock);
>>>
>>>         icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
>>> -       kfree_skb(head);
>>
>> Oh well, we want to keep the kfree_skb() of course.
>>
>> Only the skb_get(head) needs to be removed (this would fix memory leak
>> I presume...  :/ )
> 
> Official submission :
> 
> https://patchwork.ozlabs.org/patch/1094854/ ip6: fix skb leak in
> ip6frag_expire_frag_queue()
> 
> Thanks a lot Stefan for bringing up this issue to our attention !
> 
Thank you Eric for the quick response.

-Stefan



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists