diff options
author | Roland Dreier <roland@eddore.topspincom.com> | 2005-09-09 23:52:00 -0400 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2005-09-09 23:52:00 -0400 |
commit | 1b205c2d2464bfecbba80227e74b412596dc5521 (patch) | |
tree | 8c22c14bd8b2c6cde19bd05b5cbbc1c88b64152a | |
parent | 354ba39cf96e439149541acf3c6c7c0df0a3ef25 (diff) |
[PATCH] IB: fix CM use-after-free
If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info. But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed. Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | drivers/infiniband/core/cm.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index 96136543aa4e..54db6d4831f1 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c | |||
@@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount); | |||
1315 | cm_deref_id(listen_cm_id_priv); | 1315 | cm_deref_id(listen_cm_id_priv); |
1316 | cm_cleanup_timewait(cm_id_priv->timewait_info); | 1316 | cm_cleanup_timewait(cm_id_priv->timewait_info); |
1317 | error2: kfree(cm_id_priv->timewait_info); | 1317 | error2: kfree(cm_id_priv->timewait_info); |
1318 | cm_id_priv->timewait_info = NULL; | ||
1318 | error1: ib_destroy_cm_id(&cm_id_priv->id); | 1319 | error1: ib_destroy_cm_id(&cm_id_priv->id); |
1319 | return ret; | 1320 | return ret; |
1320 | } | 1321 | } |