From: Jon M. <jon...@er...> - 2019-08-14 15:36:54
|
Acked-by: Jon > -----Original Message----- > From: Ying Xue <yin...@wi...> > Sent: 14-Aug-19 07:41 > To: Tung Quang Nguyen <tun...@de...>; tipc- > dis...@li...; Jon Maloy <jon...@er...>; > ma...@do... > Subject: Re: [tipc-discussion][net v1 1/3] tipc: fix potential memory leak in > __tipc_sendmsg() > > On 8/13/19 6:01 PM, Tung Nguyen wrote: > > When initiating a connection message to a server side, the connection > > message is cloned and added to the socket write queue. However, if the > > cloning is failed, only the socket write queue is purged. It causes > > memory leak because the original connection message is not freed. > > > > This commit fixes it by purging the list of connection message when it > > cannot be cloned. > > > > Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener > > socket") > > Reported-by: Hoang Le <hoa...@de...> > > Signed-off-by: Tung Nguyen <tun...@de...> > > Acked-by: Ying Xue <yin...@wi...> > > > --- > > net/tipc/socket.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/net/tipc/socket.c b/net/tipc/socket.c index > > 83ae41d7e554..dcb8b6082757 100644 > > --- a/net/tipc/socket.c > > +++ b/net/tipc/socket.c > > @@ -1392,8 +1392,10 @@ static int __tipc_sendmsg(struct socket *sock, > struct msghdr *m, size_t dlen) > > rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); > > if (unlikely(rc != dlen)) > > return rc; > > - if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk- > >sk_write_queue))) > > + if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk- > >sk_write_queue))) { > > + __skb_queue_purge(&pkts); > > return -ENOMEM; > > + } > > > > trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " > "); > > rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid); > > |