| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Sep 2021 22:18:51 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Cc: netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
Eric Dumazet <eric.dumazet@...il.com>,
Yajun Deng <yajun.deng@...ux.dev>
Subject: [PATCH net] Revert "Revert "ipv4: fix memory leaks in ip_cmsg_send() callers""
From: Eric Dumazet <edumazet@...gle.com>
This reverts commit d7807a9adf4856171f8441f13078c33941df48ab.
As mentioned in https://lkml.org/lkml/2021/9/13/1819
5 years old commit 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
was a correct fix.
ip_cmsg_send() can loop over multiple cmsghdr()
If IP_RETOPTS has been successful, but following cmsghdr generates an error,
we do not free ipc.ok
If IP_RETOPTS is not successful, we have freed the allocated temporary space,
not the one currently in ipc.opt.
Sure, code could be refactored, but let's not bring back old bugs.
Fixes: d7807a9adf48 ("Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"")
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Cc: Yajun Deng <yajun.deng@...ux.dev>
---
net/ipv4/ip_sockglue.c | 2 +-
net/ipv4/ping.c | 5 +++--
net/ipv4/raw.c | 5 +++--
net/ipv4/udp.c | 5 +++--
4 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 7cef9987ab4ace4444c4b470a3393ce50219a69a..b297bb28556ec5cf383068f67ee910af38591cc3 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -279,7 +279,7 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc,
case IP_RETOPTS:
err = cmsg->cmsg_len - sizeof(struct cmsghdr);
- /* Our caller is responsible for freeing ipc->opt when err = 0 */
+ /* Our caller is responsible for freeing ipc->opt */
err = ip_options_get(net, &ipc->opt,
KERNEL_SOCKPTR(CMSG_DATA(cmsg)),
err < 40 ? err : 40);
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index c588f9f2f46c2b91fc9424ecfc0590b2b63a3470..1e44a43acfe2dfe57efdc64479c2d18402881d73 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -727,9 +727,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
if (msg->msg_controllen) {
err = ip_cmsg_send(sk, msg, &ipc, false);
- if (unlikely(err))
+ if (unlikely(err)) {
+ kfree(ipc.opt);
return err;
-
+ }
if (ipc.opt)
free = 1;
}
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 1c98063a3ae816ecfd7135b0168fea5a9380676f..bb446e60cf58057b448f094b4d6f48d6e91d113c 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -562,9 +562,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
if (msg->msg_controllen) {
err = ip_cmsg_send(sk, msg, &ipc, false);
- if (unlikely(err))
+ if (unlikely(err)) {
+ kfree(ipc.opt);
goto out;
-
+ }
if (ipc.opt)
free = 1;
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index d5f5981d7a43244cace63653b790a34174364e3e..8851c9463b4b62c9017565f545250c4ffe22927c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1122,9 +1122,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
if (err > 0)
err = ip_cmsg_send(sk, msg, &ipc,
sk->sk_family == AF_INET6);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ kfree(ipc.opt);
return err;
-
+ }
if (ipc.opt)
free = 1;
connected = 0;
--
2.33.0.309.g3052b89438-goog
Powered by blists - more mailing lists