diff options
| author | Roland Dreier <roland@eddore.topspincom.com> | 2005-09-09 23:52:00 -0400 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2005-09-09 23:52:00 -0400 |
| commit | 1b205c2d2464bfecbba80227e74b412596dc5521 (patch) | |
| tree | 8c22c14bd8b2c6cde19bd05b5cbbc1c88b64152a | |
| parent | 354ba39cf96e439149541acf3c6c7c0df0a3ef25 (diff) | |
[PATCH] IB: fix CM use-after-free
If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info. But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed. Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.
Signed-off-by: Roland Dreier <rolandd@cisco.com>
| -rw-r--r-- | drivers/infiniband/core/cm.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index 96136543aa4e..54db6d4831f1 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c | |||
| @@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount); | |||
| 1315 | cm_deref_id(listen_cm_id_priv); | 1315 | cm_deref_id(listen_cm_id_priv); |
| 1316 | cm_cleanup_timewait(cm_id_priv->timewait_info); | 1316 | cm_cleanup_timewait(cm_id_priv->timewait_info); |
| 1317 | error2: kfree(cm_id_priv->timewait_info); | 1317 | error2: kfree(cm_id_priv->timewait_info); |
| 1318 | cm_id_priv->timewait_info = NULL; | ||
| 1318 | error1: ib_destroy_cm_id(&cm_id_priv->id); | 1319 | error1: ib_destroy_cm_id(&cm_id_priv->id); |
| 1319 | return ret; | 1320 | return ret; |
| 1320 | } | 1321 | } |