Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp420678ybl; Fri, 24 Jan 2020 02:56:16 -0800 (PST) X-Google-Smtp-Source: APXvYqx5vbn1YW7iqRYxIH3L0H7D1bkJtOTtBTfEkTFspns4r+pk4Dxup6zpGBsvB1HTsidOrYBp X-Received: by 2002:a9d:6510:: with SMTP id i16mr2128690otl.142.1579863376489; Fri, 24 Jan 2020 02:56:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579863376; cv=none; d=google.com; s=arc-20160816; b=daLggVyDe1bP+T284X++Kv55OV9M9JSRQ4LK8B0FDy9XIwo2EQfzRRT766e9DVZCjZ ONXGmVuKTbzwPSXV8iBSM1HQVZQQeX6lfY3/2qEAKvXpo2PZp/zZagWnt4sIXqtMsHPv L4zwT8xiFcVXCui6qJLno69/J5iq9OV52loJTb0HPaypDLSVOH4bMstimq1I5d/XVg2v +lYWVAEWyXrks1ter6uVQ1BgeWIWbZd2J+uoGmsEnh33oT6dMUEW22F0yQ2QXwHp52t6 ZqOSqrP00NK5t23xdIZqBQR7HFuYTGCr/Dc4uRlxgPmnBZxnz8lU4XZd5zXqTRH9FFvZ cI0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cwRo9tNAh6xuwxhn6RioMi9M88gPICqtdyZlilFe+vg=; b=X4NSM5no2sPKndKY8XM8alnT6ytK91Z/17PoPSI+xRZbhL46JSHsFFyz5H++15/2FU e4Plm7JD3QSlGMBTORdX0PsfBzEnRVMizJIsePSb6IxidhzzlntVvEJVXIVURhIxt1i5 G9sRmWWF3RF0rgNYhGuZ29PBKe3fMwVf3CXwZfDJNefwbm5Fk/3hSGADbBGeAKHrT7yp WuZGasgZuDQmNHn4RYH7sQrhMI7uHkkjE1PoRdJ2J8e02b36QlVZNodX31bYDL7jnkNy 7rNQRtD6Ugg/WWrV0e+vFy0SilG4AlAu5etKIQYkWMo8RWGkwK0wHx/5/v6a6gowcxJf Wmlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="l1RiW6r/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a68si43239oib.233.2020.01.24.02.56.04; Fri, 24 Jan 2020 02:56:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="l1RiW6r/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730885AbgAXJe3 (ORCPT + 99 others); Fri, 24 Jan 2020 04:34:29 -0500 Received: from mail.kernel.org ([198.145.29.99]:32848 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727233AbgAXJeZ (ORCPT ); Fri, 24 Jan 2020 04:34:25 -0500 Received: from localhost (unknown [145.15.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7CFA2214AF; Fri, 24 Jan 2020 09:34:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579858465; bh=YGwjOd/P8NlKg7ZxYmwvlapmnUeP8PeEMfBc1PgOdXQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l1RiW6r/SILO0mJ+p91Wkx43le6Whac2z+tWTZexinCvigkGboY8X9A3t+IigxsbB JQS9sTKv8tPuOA1bZPATKCjPnW5XaZYpyVZAz0Fep5hilT0HoOCQvG3DHKwIoReSO1 GuBSGe4uc+13oP1bN11qu6QjfXnLkdx6Xlv1LQZo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hoang Le , Tung Nguyen , Ying Xue , Jon Maloy , "David S. Miller" Subject: [PATCH 5.4 025/102] tipc: fix potential memory leak in __tipc_sendmsg() Date: Fri, 24 Jan 2020 10:30:26 +0100 Message-Id: <20200124092809.967127381@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200124092806.004582306@linuxfoundation.org> References: <20200124092806.004582306@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tung Nguyen commit 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c upstream. When initiating a connection message to a server side, the connection message is cloned and added to the socket write queue. However, if the cloning is failed, only the socket write queue is purged. It causes memory leak because the original connection message is not freed. This commit fixes it by purging the list of connection message when it cannot be cloned. Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") Reported-by: Hoang Le Signed-off-by: Tung Nguyen Acked-by: Ying Xue Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tipc/socket.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1396,8 +1396,10 @@ static int __tipc_sendmsg(struct socket rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); if (unlikely(rc != dlen)) return rc; - if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) + if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) { + __skb_queue_purge(&pkts); return -ENOMEM; + } trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " "); rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid);