Patchwork [Quantal,CVE,2/2] UBUNTU: SAUCE: xen/netback: free already allocated memory on failure in xen_netbk_get_requests

login
register
mail settings
Submitter Luis Henriques
Date Feb. 8, 2013, 3:19 p.m.
Message ID <1360336743-5290-7-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/219201/
State New
Headers show

Comments

Luis Henriques - Feb. 8, 2013, 3:19 p.m.
From: Ian Campbell <ian.campbell@citrix.com>

BugLink: http://bugs.launchpad.net/bugs/1117331

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

CVE-2013-0217

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/net/xen-netback/netback.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

Patch

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index d0a52b9..9a5189e 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -949,7 +949,7 @@  static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
 		pending_idx = netbk->pending_ring[index];
 		page = xen_netbk_alloc_page(netbk, skb, pending_idx);
 		if (!page)
-			return NULL;
+			goto err;
 
 		gop->source.u.ref = txp->gref;
 		gop->source.domid = vif->domid;
@@ -971,6 +971,20 @@  static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
 	}
 
 	return gop;
+err:
+	/*
+	 * Unwind, freeing all pages and sending error
+	 * reponses.
+	 */
+	while (i-- > start) {
+		xen_netbk_idx_release(netbk, frag_get_pending_idx(&frags[i]),
+				      XEN_NETIF_RSP_ERROR);
+	}
+	/* The head too, if necessary. */
+	if (start)
+		xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_ERROR);
+
+	return NULL;
 }
 
 static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,