diff options
author | Xin Long <lucien.xin@gmail.com> | 2024-04-30 16:03:38 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2024-05-02 03:39:44 +0200 |
commit | 97bf6f81b29a8efaf5d0983251a7450e5794370d (patch) | |
tree | f83f56213adc7886558f9dba0409f4990a9698aa /net/tipc | |
parent | tipc: fix UAF in error path (diff) | |
download | linux-97bf6f81b29a8efaf5d0983251a7450e5794370d.tar.xz linux-97bf6f81b29a8efaf5d0983251a7450e5794370d.zip |
tipc: fix a possible memleak in tipc_buf_append
__skb_linearize() doesn't free the skb when it fails, so move
'*buf = NULL' after __skb_linearize(), so that the skb can be
freed on the err path.
Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/tipc')
-rw-r--r-- | net/tipc/msg.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/msg.c b/net/tipc/msg.c index 9a6e9bcbf694..76284fc538eb 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c @@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) if (fragid == FIRST_FRAGMENT) { if (unlikely(head)) goto err; - *buf = NULL; if (skb_has_frag_list(frag) && __skb_linearize(frag)) goto err; + *buf = NULL; frag = skb_unshare(frag, GFP_ATOMIC); if (unlikely(!frag)) goto err; |