Repository : ssh://git@open-mesh.org/batman-adv
On branch : master
commit 0b415bb4dfe2351526ec7de5558a5fcce47642d4 Author: Martin Hundebøll martin@hundeboll.net Date: Tue May 28 08:23:22 2013 +0200
batman-adv: fix possible memleak in fragmentation
Use a variable for return value in batadv_frag_insert_packet() to free the allocated struct batadv_frag_list_entry in all cases where it is not inserted into a chain.
Introduced by 9b3eab61754d74a93c9840c296013fe3b4a1b606 ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Martin Hundebøll martin@hundeboll.net Signed-off-by: Marek Lindner lindner_marek@yahoo.de
0b415bb4dfe2351526ec7de5558a5fcce47642d4 fragmentation.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fragmentation.c b/fragmentation.c index 6054ff6..ab85e75 100644 --- a/fragmentation.c +++ b/fragmentation.c @@ -129,10 +129,11 @@ static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node, struct hlist_head *chain_out) { struct batadv_frag_table_entry *chain; - struct batadv_frag_list_entry *frag_entry_new, *frag_entry_curr; + struct batadv_frag_list_entry *frag_entry_new = NULL, *frag_entry_curr; struct batadv_frag_packet *frag_packet; uint8_t bucket; uint16_t seqno, hdr_size = sizeof(struct batadv_frag_packet); + bool ret = false;
/* Linearize packet to avoid linearizing 16 packets in a row when doing * the later merge. Non-linear merge should be added to remove this @@ -162,6 +163,7 @@ static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node, hlist_add_head(&frag_entry_new->list, &chain->head); chain->size = skb->len - hdr_size; chain->timestamp = jiffies; + ret = true; goto out; }
@@ -177,6 +179,7 @@ static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node, &frag_entry_curr->list); chain->size += skb->len - hdr_size; chain->timestamp = jiffies; + ret = true; goto out; } } @@ -186,6 +189,7 @@ static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node, hlist_add_after(&frag_entry_curr->list, &frag_entry_new->list); chain->size += skb->len - hdr_size; chain->timestamp = jiffies; + ret = true; }
out: @@ -202,14 +206,14 @@ out: chain->size = 0; }
- spin_unlock_bh(&chain->lock); - return true; - err_unlock: spin_unlock_bh(&chain->lock); - kfree(frag_entry_new); + err: - return false; + if (!ret) + kfree(frag_entry_new); + + return ret; }
/**