Patchwork [Precise,CVE,2/2] UBUNTU: SAUCE: xen/netback: free already allocated memory on failure in xen_netbk_get_requests

login
register
mail settings
Submitter Luis Henriques
Date Feb. 8, 2013, 3:18 p.m.
Message ID <1360336743-5290-5-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/219197/
State New
Headers show

Comments

Luis Henriques - Feb. 8, 2013, 3:18 p.m.
From: Ian Campbell <ian.campbell@citrix.com>

BugLink: http://bugs.launchpad.net/bugs/1117331

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

CVE-2013-0217

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/net/xen-netback/netback.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

Patch

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index 57baa9e..54f23a3 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -950,7 +950,7 @@  static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
 		pending_idx = netbk->pending_ring[index];
 		page = xen_netbk_alloc_page(netbk, skb, pending_idx);
 		if (!page)
-			return NULL;
+			goto err;
 
 		netbk->mmap_pages[pending_idx] = page;
 
@@ -974,6 +974,20 @@  static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
 	}
 
 	return gop;
+err:
+	/*
+	 * Unwind, freeing all pages and sending error
+	 * reponses.
+	 */
+	while (i-- > start) {
+		xen_netbk_idx_release(netbk, frag_get_pending_idx(&frags[i]),
+				      XEN_NETIF_RSP_ERROR);
+	}
+	/* The head too, if necessary. */
+	if (start)
+		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_ERROR);
+
+	return NULL;
 }
 
 static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,