diff options
author | Andrew Morton <akpm@osdl.org> | 2005-08-09 18:29:19 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-08-09 18:29:19 -0400 |
commit | d64d3873721cfe870d49d73c3744f06260779ce7 (patch) | |
tree | b49a930e65ed4f30b4f8f2aac4ddb08c41bc4b79 /net/compat.c | |
parent | 3501466941347f0e1992b2672affb3feb92925fd (diff) |
[NET]: Fix memory leak in sys_{send,recv}msg() w/compat
From: Dave Johnson <djohnson+linux-kernel@sw.starentnetworks.com>
sendmsg()/recvmsg() syscalls from o32/n32 apps to a 64bit kernel will
cause a kernel memory leak if iov_len > UIO_FASTIOV for each syscall!
This is because both sys_sendmsg() and verify_compat_iovec() kmalloc a
new iovec structure. Only the one from sys_sendmsg() is free'ed.
I wrote a simple test program to confirm this after identifying the
problem:
http://davej.org/programs/testsendmsg.c
Note that the below fix will break solaris_sendmsg()/solaris_recvmsg() as
it also calls verify_compat_iovec() but expects it to malloc internally.
[ I fixed that. -DaveM ]
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/compat.c')
-rw-r--r-- | net/compat.c | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/net/compat.c b/net/compat.c index be5d936dc423..d99ab9695893 100644 --- a/net/compat.c +++ b/net/compat.c | |||
@@ -91,20 +91,11 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, | |||
91 | } else | 91 | } else |
92 | kern_msg->msg_name = NULL; | 92 | kern_msg->msg_name = NULL; |
93 | 93 | ||
94 | if(kern_msg->msg_iovlen > UIO_FASTIOV) { | ||
95 | kern_iov = kmalloc(kern_msg->msg_iovlen * sizeof(struct iovec), | ||
96 | GFP_KERNEL); | ||
97 | if(!kern_iov) | ||
98 | return -ENOMEM; | ||
99 | } | ||
100 | |||
101 | tot_len = iov_from_user_compat_to_kern(kern_iov, | 94 | tot_len = iov_from_user_compat_to_kern(kern_iov, |
102 | (struct compat_iovec __user *)kern_msg->msg_iov, | 95 | (struct compat_iovec __user *)kern_msg->msg_iov, |
103 | kern_msg->msg_iovlen); | 96 | kern_msg->msg_iovlen); |
104 | if(tot_len >= 0) | 97 | if(tot_len >= 0) |
105 | kern_msg->msg_iov = kern_iov; | 98 | kern_msg->msg_iov = kern_iov; |
106 | else if(kern_msg->msg_iovlen > UIO_FASTIOV) | ||
107 | kfree(kern_iov); | ||
108 | 99 | ||
109 | return tot_len; | 100 | return tot_len; |
110 | } | 101 | } |