aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2009-01-14 01:17:51 -0500
committerDavid S. Miller <davem@davemloft.net>2009-01-14 01:17:51 -0500
commit7891cc818967e186be68caac32d84bfd0a3f0bd2 (patch)
treee8ac3bb46c043f7fd2a39d80e0b61ff7db30fb5c /net
parent33966dd0e2f68f26943cd9ee93ec6abbc6547a8e (diff)
ipv6: Fix fib6_dump_table walker leak
When a fib6 table dump is prematurely ended, we won't unlink its walker from the list. This causes all sorts of grief for other users of the list later. Reported-by: Chris Caputo <ccaputo@alt.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv6/ip6_fib.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 29c7c99e69f7..52ee1dced2ff 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -298,6 +298,10 @@ static void fib6_dump_end(struct netlink_callback *cb)
298 struct fib6_walker_t *w = (void*)cb->args[2]; 298 struct fib6_walker_t *w = (void*)cb->args[2];
299 299
300 if (w) { 300 if (w) {
301 if (cb->args[4]) {
302 cb->args[4] = 0;
303 fib6_walker_unlink(w);
304 }
301 cb->args[2] = 0; 305 cb->args[2] = 0;
302 kfree(w); 306 kfree(w);
303 } 307 }
@@ -330,15 +334,12 @@ static int fib6_dump_table(struct fib6_table *table, struct sk_buff *skb,
330 read_lock_bh(&table->tb6_lock); 334 read_lock_bh(&table->tb6_lock);
331 res = fib6_walk_continue(w); 335 res = fib6_walk_continue(w);
332 read_unlock_bh(&table->tb6_lock); 336 read_unlock_bh(&table->tb6_lock);
333 if (res != 0) { 337 if (res <= 0) {
334 if (res < 0) 338 fib6_walker_unlink(w);
335 fib6_walker_unlink(w); 339 cb->args[4] = 0;
336 goto end;
337 } 340 }
338 fib6_walker_unlink(w);
339 cb->args[4] = 0;
340 } 341 }
341end: 342
342 return res; 343 return res;
343} 344}
344 345