aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2005-10-16 07:08:46 -0400
committerArnaldo Carvalho de Melo <acme@mandriva.com>2005-10-20 12:44:29 -0400
commitffa29347dfbc158d1f47f5925324a6f5713659c1 (patch)
tree66c0360d21cc842af830b9c7ffd6e924652e7ce3
parentfda0fd6c5b722cc48e904e0daafedca275d332af (diff)
[DCCP]: Make dccp_write_xmit always free the packet
icmp_send doesn't use skb->sk at all so even if skb->sk has already been freed it can't cause crash there (it would've crashed somewhere else first, e.g., ip_queue_xmit). I found a double-free on an skb that could explain this though. dccp_sendmsg and dccp_write_xmit are a little confused as to what should free the packet when something goes wrong. Sometimes they both go for the ball and end up in each other's way. This patch makes dccp_write_xmit always free the packet no matter what. This makes sense since dccp_transmit_skb which in turn comes from the fact that ip_queue_xmit always frees the packet. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-rw-r--r--net/dccp/output.c3
-rw-r--r--net/dccp/proto.c2
2 files changed, 2 insertions, 3 deletions
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 946ec2db75de..7006549f7050 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -241,7 +241,8 @@ int dccp_write_xmit(struct sock *sk, struct sk_buff *skb, long *timeo)
241 241
242 err = dccp_transmit_skb(sk, skb); 242 err = dccp_transmit_skb(sk, skb);
243 ccid_hc_tx_packet_sent(dp->dccps_hc_tx_ccid, sk, 0, len); 243 ccid_hc_tx_packet_sent(dp->dccps_hc_tx_ccid, sk, 0, len);
244 } 244 } else
245 kfree_skb(skb);
245 246
246 return err; 247 return err;
247} 248}
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index a1cfd0e9e3bc..a021c3422f67 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -402,8 +402,6 @@ int dccp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
402 * This bug was _quickly_ found & fixed by just looking at an OSTRA 402 * This bug was _quickly_ found & fixed by just looking at an OSTRA
403 * generated callgraph 8) -acme 403 * generated callgraph 8) -acme
404 */ 404 */
405 if (rc != 0)
406 goto out_discard;
407out_release: 405out_release:
408 release_sock(sk); 406 release_sock(sk);
409 return rc ? : len; 407 return rc ? : len;