Project

General

Profile

Bug #5874

Very low memory may cause a TCP double-free

Added by Dan McDonald over 5 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
networking
Start date:
2015-04-27
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:

Description

Consider this code snippet from tcp_input_listener():


1515         /*
1516          * Now that the IP addresses and ports are setup in econnp we
1517          * can do the IPsec policy work.
1518          */
1519         if (ira->ira_flags & IRAF_IPSEC_SECURE) {
1520                 if (lconnp->conn_policy != NULL) {
1521                         /*
1522                          * Inherit the policy from the listener; use
1523                          * actions from ira
1524                          */
1525                         if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
1526                                 CONN_DEC_REF(econnp);
1527                                 freemsg(mp);
1528                                 goto error3;
1529                         }
1530                 }
1531         }

Now look at the error3: label:


1818 error3:
1819         CONN_DEC_REF(econnp);
1820 error2:
1821         freemsg(mp);
1822         if (tlc_set)
1823                 atomic_dec_32(&listener->tcp_listen_cnt->tlc_cnt);
1824 }

We need to lose the freemsg() in line 1527.

NOTE: Testing this will be annoying, because ip_ipsec_policy_inherit() only fails if the IPsec action kmem cache is depleted.

Also available in: Atom PDF