diff options
| author | Xin Long <lucien.xin@gmail.com> | 2024-04-30 10:03:38 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-05-17 11:56:01 +0200 |
| commit | d03a82f4f8144befdc10518e732e2a60b34c870e (patch) | |
| tree | 9d83cfc53a126277214960b15881c9c833da4ac4 /net/tipc | |
| parent | 989bf6fd1e1d058e73a364dce1a0c53d33373f62 (diff) | |
| download | linux-d03a82f4f8144befdc10518e732e2a60b34c870e.tar.gz linux-d03a82f4f8144befdc10518e732e2a60b34c870e.tar.bz2 linux-d03a82f4f8144befdc10518e732e2a60b34c870e.zip | |
tipc: fix a possible memleak in tipc_buf_append
[ Upstream commit 97bf6f81b29a8efaf5d0983251a7450e5794370d ]
__skb_linearize() doesn't free the skb when it fails, so move
'*buf = NULL' after __skb_linearize(), so that the skb can be
freed on the err path.
Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/msg.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/msg.c b/net/tipc/msg.c index 5c9fd4791c4b..c52ab423082c 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c @@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) if (fragid == FIRST_FRAGMENT) { if (unlikely(head)) goto err; - *buf = NULL; if (skb_has_frag_list(frag) && __skb_linearize(frag)) goto err; + *buf = NULL; frag = skb_unshare(frag, GFP_ATOMIC); if (unlikely(!frag)) goto err; |