| From 23e193bcbc149ab881587140e7c38a773320c926 Mon Sep 17 00:00:00 2001 |
| From: Tung Nguyen <tung.q.nguyen@dektech.com.au> |
| Date: Thu, 28 Nov 2019 10:10:05 +0700 |
| Subject: [PATCH] tipc: fix potential memory leak in __tipc_sendmsg() |
| |
| commit 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c upstream. |
| |
| When initiating a connection message to a server side, the connection |
| message is cloned and added to the socket write queue. However, if the |
| cloning is failed, only the socket write queue is purged. It causes |
| memory leak because the original connection message is not freed. |
| |
| This commit fixes it by purging the list of connection message when |
| it cannot be cloned. |
| |
| Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") |
| Reported-by: Hoang Le <hoang.h.le@dektech.com.au> |
| Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> |
| Acked-by: Ying Xue <ying.xue@windriver.com> |
| Acked-by: Jon Maloy <jon.maloy@ericsson.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/tipc/socket.c b/net/tipc/socket.c |
| index f5f027cf9a22..911e14fcf118 100644 |
| --- a/net/tipc/socket.c |
| +++ b/net/tipc/socket.c |
| @@ -1396,8 +1396,10 @@ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dlen) |
| rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); |
| if (unlikely(rc != dlen)) |
| return rc; |
| - if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) |
| + if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) { |
| + __skb_queue_purge(&pkts); |
| return -ENOMEM; |
| + } |
| |
| trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " "); |
| rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid); |
| -- |
| 2.7.4 |
| |