Menu
▾
▴
Re: [tipc-discussion] [net v1 1/3] tipc: fix potential memory leak in __tipc_sendmsg()
|
From: Jon M. <jon...@er...> - 2019-08-14 15:36:54
|
Acked-by: Jon
> -----Original Message-----
> From: Ying Xue <yin...@wi...>
> Sent: 14-Aug-19 07:41
> To: Tung Quang Nguyen <tun...@de...>; tipc-
> dis...@li...; Jon Maloy <jon...@er...>;
> ma...@do...
> Subject: Re: [tipc-discussion][net v1 1/3] tipc: fix potential memory leak in
> __tipc_sendmsg()
>
> On 8/13/19 6:01 PM, Tung Nguyen wrote:
> > When initiating a connection message to a server side, the connection
> > message is cloned and added to the socket write queue. However, if the
> > cloning is failed, only the socket write queue is purged. It causes
> > memory leak because the original connection message is not freed.
> >
> > This commit fixes it by purging the list of connection message when it
> > cannot be cloned.
> >
> > Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener
> > socket")
> > Reported-by: Hoang Le <hoa...@de...>
> > Signed-off-by: Tung Nguyen <tun...@de...>
>
> Acked-by: Ying Xue <yin...@wi...>
>
> > ---
> > net/tipc/socket.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/tipc/socket.c b/net/tipc/socket.c index
> > 83ae41d7e554..dcb8b6082757 100644
> > --- a/net/tipc/socket.c
> > +++ b/net/tipc/socket.c
> > @@ -1392,8 +1392,10 @@ static int __tipc_sendmsg(struct socket *sock,
> struct msghdr *m, size_t dlen)
> > rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);
> > if (unlikely(rc != dlen))
> > return rc;
> > - if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk-
> >sk_write_queue)))
> > + if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk-
> >sk_write_queue))) {
> > + __skb_queue_purge(&pkts);
> > return -ENOMEM;
> > + }
> >
> > trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, "
> ");
> > rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid);
> >
|
