Actions
Bug #5874
open
Very low memory may cause a TCP double-free
Status:
New
Priority:
Low
Assignee:
-
Category:
networking
Start date:
2015-04-27
Due date:
% Done:
0%
Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:
Description
Consider this code snippet from tcp_input_listener():
1515 /*
1516 * Now that the IP addresses and ports are setup in econnp we
1517 * can do the IPsec policy work.
1518 */
1519 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
1520 if (lconnp->conn_policy != NULL) {
1521 /*
1522 * Inherit the policy from the listener; use
1523 * actions from ira
1524 */
1525 if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
1526 CONN_DEC_REF(econnp);
1527 freemsg(mp);
1528 goto error3;
1529 }
1530 }
1531 }
Now look at the error3: label:
1818 error3: 1819 CONN_DEC_REF(econnp); 1820 error2: 1821 freemsg(mp); 1822 if (tlc_set) 1823 atomic_dec_32(&listener->tcp_listen_cnt->tlc_cnt); 1824 }
We need to lose the freemsg() in line 1527.
NOTE: Testing this will be annoying, because ip_ipsec_policy_inherit() only fails if the IPsec action kmem cache is depleted.
No data to display
Actions