diff options
| author | Krishna Kumar <krkumar2@in.ibm.com> | 2006-11-08 23:00:41 -0500 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2006-11-29 18:33:07 -0500 |
| commit | 83b96586239bf6c719ff640341e1cf83e4a7c046 (patch) | |
| tree | fafbfdbc713e45e2972c27795444af3d62db39c5 /drivers/infiniband | |
| parent | 33ba0fa9f315ce32fbb86fa671c131f5355b52a1 (diff) | |
RDMA/iwcm: Fix memory leak
If we get IW_CM_EVENT_CONNECT_REQUEST message and encounter an error
(not in the LISTEN state, cannot create an id, cannot alloc
work_entry, etc), then the memory allocated by cm_event_handler() in
the event->private_data gets leaked. Since cm_work_handler has already
put the event on the work_free_list, this allocated memory is
leaked. High backlog value can allow DoS attacks.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband')
| -rw-r--r-- | drivers/infiniband/core/iwcm.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c index 22d498c9a68b..0cfd7848dd37 100644 --- a/drivers/infiniband/core/iwcm.c +++ b/drivers/infiniband/core/iwcm.c | |||
| @@ -619,7 +619,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv, | |||
| 619 | spin_lock_irqsave(&listen_id_priv->lock, flags); | 619 | spin_lock_irqsave(&listen_id_priv->lock, flags); |
| 620 | if (listen_id_priv->state != IW_CM_STATE_LISTEN) { | 620 | if (listen_id_priv->state != IW_CM_STATE_LISTEN) { |
| 621 | spin_unlock_irqrestore(&listen_id_priv->lock, flags); | 621 | spin_unlock_irqrestore(&listen_id_priv->lock, flags); |
| 622 | return; | 622 | goto out; |
| 623 | } | 623 | } |
| 624 | spin_unlock_irqrestore(&listen_id_priv->lock, flags); | 624 | spin_unlock_irqrestore(&listen_id_priv->lock, flags); |
| 625 | 625 | ||
| @@ -628,7 +628,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv, | |||
| 628 | listen_id_priv->id.context); | 628 | listen_id_priv->id.context); |
| 629 | /* If the cm_id could not be created, ignore the request */ | 629 | /* If the cm_id could not be created, ignore the request */ |
| 630 | if (IS_ERR(cm_id)) | 630 | if (IS_ERR(cm_id)) |
| 631 | return; | 631 | goto out; |
| 632 | 632 | ||
| 633 | cm_id->provider_data = iw_event->provider_data; | 633 | cm_id->provider_data = iw_event->provider_data; |
| 634 | cm_id->local_addr = iw_event->local_addr; | 634 | cm_id->local_addr = iw_event->local_addr; |
| @@ -641,7 +641,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv, | |||
| 641 | if (ret) { | 641 | if (ret) { |
| 642 | iw_cm_reject(cm_id, NULL, 0); | 642 | iw_cm_reject(cm_id, NULL, 0); |
| 643 | iw_destroy_cm_id(cm_id); | 643 | iw_destroy_cm_id(cm_id); |
| 644 | return; | 644 | goto out; |
| 645 | } | 645 | } |
| 646 | 646 | ||
| 647 | /* Call the client CM handler */ | 647 | /* Call the client CM handler */ |
| @@ -653,6 +653,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv, | |||
| 653 | kfree(cm_id); | 653 | kfree(cm_id); |
| 654 | } | 654 | } |
| 655 | 655 | ||
| 656 | out: | ||
| 656 | if (iw_event->private_data_len) | 657 | if (iw_event->private_data_len) |
| 657 | kfree(iw_event->private_data); | 658 | kfree(iw_event->private_data); |
| 658 | } | 659 | } |