Menu
▾
▴
Re: [tipc-discussion] [net v1 1/3] tipc: fix potential memory leak in __tipc_sendmsg()
|
From: Ying X. <yin...@wi...> - 2019-08-14 11:54:09
|
On 8/13/19 6:01 PM, Tung Nguyen wrote:
> When initiating a connection message to a server side, the connection
> message is cloned and added to the socket write queue. However, if the
> cloning is failed, only the socket write queue is purged. It causes
> memory leak because the original connection message is not freed.
>
> This commit fixes it by purging the list of connection message when
> it cannot be cloned.
>
> Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
> Reported-by: Hoang Le <hoa...@de...>
> Signed-off-by: Tung Nguyen <tun...@de...>
Acked-by: Ying Xue <yin...@wi...>
> ---
> net/tipc/socket.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index 83ae41d7e554..dcb8b6082757 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -1392,8 +1392,10 @@ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dlen)
> rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);
> if (unlikely(rc != dlen))
> return rc;
> - if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue)))
> + if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) {
> + __skb_queue_purge(&pkts);
> return -ENOMEM;
> + }
>
> trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " ");
> rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid);
>
|
