Patchwork [3.5.y.z,extended,stable] Patch "ipv6: fix possible crashes in ip6_cork_release()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date June 24, 2013, 8:19 a.m.
Message ID <1372061943-5005-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/253707/
State New
Headers show

Comments

Luis Henriques - June 24, 2013, 8:19 a.m.
This is a note to let you know that I have just added a patch titled

    ipv6: fix possible crashes in ip6_cork_release()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From 11f1d15a504d78e6461db7a4dab644e5a32f0b6d Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Fri, 17 May 2013 04:53:13 +0000
Subject: [PATCH] ipv6: fix possible crashes in ip6_cork_release()

commit 284041ef21fdf2e0d216ab6b787bc9072b4eb58a upstream.

commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
added some code duplication and bad error recovery, leading to potential
crash in ip6_cork_release() as kfree() could be called with garbage.

use kzalloc() to make sure this wont happen.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/ipv6/ip6_output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
1.8.1.2

Patch

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4703c70..ccb2adb 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1242,7 +1242,7 @@  int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
 			if (WARN_ON(np->cork.opt))
 				return -EINVAL;

-			np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
+			np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
 			if (unlikely(np->cork.opt == NULL))
 				return -ENOBUFS;