projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c2bb7bc)
ipv4: fix memory leaks in ip_cmsg_send() callers
authorEric Dumazet <edumazet@google.com>
Thu, 4 Feb 2016 14:23:28 +0000 (06:23 -0800)
committerDavid S. Miller <davem@davemloft.net>
Sat, 13 Feb 2016 10:57:39 +0000 (05:57 -0500)
Dmitry reported memory leaks of IP options allocated in
ip_cmsg_send() when/if this function returns an error.

Callers are responsible for the freeing.

Many thanks to Dmitry for the report and diagnostic.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_sockglue.c patch | blob | blame | history
net/ipv4/ping.c patch | blob | blame | history
net/ipv4/raw.c patch | blob | blame | history
net/ipv4/udp.c patch | blob | blame | history

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5f73a7c03e27d334c771f144825c4a2f718d71ba..a50124260f5a4aaa98a3e4a582dbcbdbc236e370 100644 (file)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -249,6 +249,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
                switch (cmsg->cmsg_type) {
                case IP_RETOPTS:
                        err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));
+
+                       /* Our caller is responsible for freeing ipc->opt */
                        err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg),
                                             err < 40 ? err : 40);
                        if (err)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index c117b21b937de778dffa484d589141ea31e1b6bc..d3a27165f9cca0f20f68616295cfbf683fb4adc0 100644 (file)
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -746,8 +746,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 
        if (msg->msg_controllen) {
                err = ip_cmsg_send(sock_net(sk), msg, &ipc, false);
-               if (err)
+               if (unlikely(err)) {
+                       kfree(ipc.opt);
                        return err;
+               }
                if (ipc.opt)
                        free = 1;
        }
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index bc35f1842512bef8e4d87e76542d7bf11f8946fa..7113bae4e6a0c02726e0e11c33415b6779b7d04b 100644 (file)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -547,8 +547,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 
        if (msg->msg_controllen) {
                err = ip_cmsg_send(net, msg, &ipc, false);
-               if (err)
+               if (unlikely(err)) {
+                       kfree(ipc.opt);
                        goto out;
+               }
                if (ipc.opt)
                        free = 1;
        }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index be0b21852b138ebc5eed9caf37740cbe1cb1abe0..95d2f198017ef1a6db687ddfe405a13830a37f3f 100644 (file)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1048,8 +1048,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        if (msg->msg_controllen) {
                err = ip_cmsg_send(sock_net(sk), msg, &ipc,
                                   sk->sk_family == AF_INET6);
-               if (err)
+               if (unlikely(err)) {
+                       kfree(ipc.opt);
                        return err;
+               }
                if (ipc.opt)
                        free = 1;
                connected = 0;