Patchwork [maverick,maverick/ti-omap4,lucid] core: Fix memory leak/corruption on VLAN GRO_DROP

login
register
mail settings
Submitter Stefan Bader
Date Sept. 19, 2011, 2 p.m.
Message ID <1316440807-9603-3-git-send-email-stefan.bader@canonical.com>
Download mbox | patch
Permalink /patch/115349/
State New
Headers show

Comments

Stefan Bader - Sept. 19, 2011, 2 p.m.
From: Herbert Xu <herbert.xu@redhat.com>

The function napi_reuse_skb is only meant to be used for packets
merged by GRO.  Using it on the VLAN path will lead to memory
leaks/corruption.  This patch is based on Jay Vosburgh's patch,
and it fixes the problem by calling kfree_skb on the VLAN GRO_DROP
path instead of napi_reuse_skb.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jarod Wilson <jarod@redhat.com>

CVE-2011-1576
BugLink: http://bugs.launchpad.net/bugs/844361
(backported from kernel-2.6.18-238.19.1.el5.src.rpm)

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/core/dev.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Patch

diff --git a/net/core/dev.c b/net/core/dev.c
index 85e3f8d..52ec7f4 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3266,6 +3266,9 @@  gro_result_t napi_frags_finish(struct napi_struct *napi, struct sk_buff *skb,
 		break;
 
 	case GRO_DROP:
+		kfree_skb(skb);
+		break;
+
 	case GRO_MERGED_FREE:
 		napi_reuse_skb(napi, skb);
 		break;