From patchwork Fri May 17 14:53:13 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 244666 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 1A0C32C00B9 for ; Sat, 18 May 2013 00:53:20 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754290Ab3EQOxQ (ORCPT ); Fri, 17 May 2013 10:53:16 -0400 Received: from mail-pd0-f176.google.com ([209.85.192.176]:35969 "EHLO mail-pd0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754010Ab3EQOxP (ORCPT ); Fri, 17 May 2013 10:53:15 -0400 Received: by mail-pd0-f176.google.com with SMTP id r11so95258pdi.21 for ; Fri, 17 May 2013 07:53:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:subject:from:to:cc:date:in-reply-to :references:content-type:x-mailer:content-transfer-encoding :mime-version; bh=Y7mYypkhPzbr/hL+r18p/kIjA/NLRBEqtM4dsrH8/SI=; b=melsAnGNdXeztUQDQ+Hp3Eb8dDbLkwewylVCfAmeiUM3891DP5jBtbgtEi+shaUhcO 7w0x7B57ovC5KNB5arZALo430yhUCIEcmmQ+Nl753rMDiq8ySEdqS3NePG+gNCSlOrHD RXUqRrV+/jahAjrfKgpowRg8uDElPB7veCRrHcZ7SyQGqd1Eui8JmIkwMoOuSW+Izn92 1uZGB9g6xeNea4BThB/qQM6NzBM/6mIe8BUz9gFNgvTRk1oOkiqIsvQB+j2NGlCQ7vu/ 26kwR3Ke4jpzxxcXsBbF0j5sOUGaedzJOCIbQacz852DNBcIslknf+wZfGAN/UHOeTDW q0cA== X-Received: by 10.68.201.39 with SMTP id jx7mr26814253pbc.186.1368802395044; Fri, 17 May 2013 07:53:15 -0700 (PDT) Received: from [172.26.54.178] ([172.26.54.178]) by mx.google.com with ESMTPSA id vm10sm5331542pab.5.2013.05.17.07.53.13 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Fri, 17 May 2013 07:53:14 -0700 (PDT) Message-ID: <1368802393.3301.90.camel@edumazet-glaptop> Subject: Re: [PATCH net-next] ipv6: use ipv6_dup_options() from ip6_append_data() From: Eric Dumazet To: Herbert Xu Cc: David Miller , netdev , Hideaki YOSHIFUJI , Neal Cardwell Date: Fri, 17 May 2013 07:53:13 -0700 In-Reply-To: <20130517135804.GA16069@gondor.apana.org.au> References: <1368742990.3301.67.camel@edumazet-glaptop> <1368750452.3301.74.camel@edumazet-glaptop> <20130517135804.GA16069@gondor.apana.org.au> X-Mailer: Evolution 3.2.3-0ubuntu6 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet On Fri, 2013-05-17 at 21:58 +0800, Herbert Xu wrote: > However, I think this function is just as buggy as the original > code that I replaced. If you look at the code that fills in the > options in ip6_datagram_send_ctl, you'll find that the options do > not lie in the memory area of the opt + opt->tot_len. They instead > point to data in the cmsg. > > So I think we should > > 1) fix ipv6_dup_options to do what I tried do but in a non-buggy way; > 2) make the UDP path use it. > > BTW, in the UDP path we also have a socket so we can just charge the > memory to it and avoid using kmalloc at all. OK, so I guess for stable we should use kzalloc(), and work on a cleanup in net-next. Thanks ! [PATCH] ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index d2eedf1..dae1949 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (WARN_ON(np->cork.opt)) return -EINVAL; - np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); + np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); if (unlikely(np->cork.opt == NULL)) return -ENOBUFS;