Bug #5874
Very low memory may cause a TCP double-free
Status:
New
Priority:
Low
Assignee:
-
Category:
networking
Start date:
2015-04-27
Due date:
% Done:
0%
Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:
Description
Consider this code snippet from tcp_input_listener():
1515 /* 1516 * Now that the IP addresses and ports are setup in econnp we 1517 * can do the IPsec policy work. 1518 */ 1519 if (ira->ira_flags & IRAF_IPSEC_SECURE) { 1520 if (lconnp->conn_policy != NULL) { 1521 /* 1522 * Inherit the policy from the listener; use 1523 * actions from ira 1524 */ 1525 if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) { 1526 CONN_DEC_REF(econnp); 1527 freemsg(mp); 1528 goto error3; 1529 } 1530 } 1531 }
Now look at the error3: label:
1818 error3: 1819 CONN_DEC_REF(econnp); 1820 error2: 1821 freemsg(mp); 1822 if (tlc_set) 1823 atomic_dec_32(&listener->tcp_listen_cnt->tlc_cnt); 1824 }
We need to lose the freemsg() in line 1527.
NOTE: Testing this will be annoying, because ip_ipsec_policy_inherit() only fails if the IPsec action kmem cache is depleted.
No data to display