diff options
author | Julia Lawall <julia@diku.dk> | 2010-08-27 22:31:56 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-08-27 22:31:56 -0400 |
commit | c34186ed008229e7f7e3f1de8e6acf6374995358 (patch) | |
tree | b8d24a6503fc847d7dd1fa55b73aa9ca45781730 | |
parent | 7e368739e3b3f1d7944794c178a15f05829b56bc (diff) |
net/ipv4: Eliminate kstrdup memory leak
The string clone is only used as a temporary copy of the argument val
within the while loop, and so it should be freed before leaving the
function. The call to strsep, however, modifies clone, so a pointer to the
front of the string is kept in saved_clone, to make it possible to free it.
The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r exists@
local idexpression x;
expression E;
identifier l;
statement S;
@@
*x= \(kasprintf\|kstrdup\)(...);
...
if (x == NULL) S
... when != kfree(x)
when != E = x
if (...) {
<... when != kfree(x)
* goto l;
...>
* return ...;
}
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp_cong.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c index 0ec9bd0ae94f..850c737e08e2 100644 --- a/net/ipv4/tcp_cong.c +++ b/net/ipv4/tcp_cong.c | |||
@@ -196,10 +196,10 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen) | |||
196 | int tcp_set_allowed_congestion_control(char *val) | 196 | int tcp_set_allowed_congestion_control(char *val) |
197 | { | 197 | { |
198 | struct tcp_congestion_ops *ca; | 198 | struct tcp_congestion_ops *ca; |
199 | char *clone, *name; | 199 | char *saved_clone, *clone, *name; |
200 | int ret = 0; | 200 | int ret = 0; |
201 | 201 | ||
202 | clone = kstrdup(val, GFP_USER); | 202 | saved_clone = clone = kstrdup(val, GFP_USER); |
203 | if (!clone) | 203 | if (!clone) |
204 | return -ENOMEM; | 204 | return -ENOMEM; |
205 | 205 | ||
@@ -226,6 +226,7 @@ int tcp_set_allowed_congestion_control(char *val) | |||
226 | } | 226 | } |
227 | out: | 227 | out: |
228 | spin_unlock(&tcp_cong_list_lock); | 228 | spin_unlock(&tcp_cong_list_lock); |
229 | kfree(saved_clone); | ||
229 | 230 | ||
230 | return ret; | 231 | return ret; |
231 | } | 232 | } |