[PATCH] Fix potential memory leak in tipc_named_node_up()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There seems to be a memory leak in net/tipc/name_distr.c::tipc_named_node_up()

The function, with comments, is this :

void tipc_named_node_up(unsigned long node)
{
        struct publication *publ;
        struct distr_item *item = NULL;
        struct sk_buff *buf = NULL;
        u32 left = 0;
        u32 rest;
        u32 max_item_buf;

        read_lock_bh(&tipc_nametbl_lock);
        max_item_buf = TIPC_MAX_USER_MSG_SIZE / ITEM_SIZE;
        max_item_buf *= ITEM_SIZE;
        rest = publ_cnt * ITEM_SIZE;

        list_for_each_entry(publ, &publ_root, local_list) {
-----> If we stop processing here after doing 1, 2 & 3 below we end up at (4) (below).
                if (!buf) {
                        left = (rest <= max_item_buf) ? rest : max_item_buf;
                        rest -= left;
                        buf = named_prepare_buf(PUBLICATION, left, node);
-----> (1) here we allocate memory and store a pointer to it in 'buf'.

                        if (!buf) {
-----> (2) This test needs to fail, meaning we did allocate some memory.
                                warn("Bulk publication distribution failure\n");
                                goto exit;
                        }
                        item = (struct distr_item *)msg_data(buf_msg(buf));
                }
                publ_to_item(item, publ);
                item++;
                left -= ITEM_SIZE;
                if (!left) {
-----> (3) If this test fails we loop and do nothing to 'buf'.
                        msg_set_link_selector(buf_msg(buf), node);
                        dbg("tipc_named_node_up: sending publish msg to "
                            "<%u.%u.%u>\n", tipc_zone(node),
                            tipc_cluster(node), tipc_node(node));
                        tipc_link_send(buf, node, node);
                        buf = NULL;
                }
        }
exit:
        read_unlock_bh(&tipc_nametbl_lock);
-----> (4) here we return without freeing 'buf' - memory leak.
}

Luckily this is easy to fix, since we can only leave the function with 'buf'
either set to NULL or (in the leak case) set to a valid address, and since 
kfree() handles being passed NULL gracefully we can simply kfree(buf) just 
before we leave the function.

The patch below frees 'buf' before leaving the function, thus avoiding the 
potential leak.



Fix a potential memory leak in tipc_named_node_up()

Signed-off-by: Jesper Juhl <[email protected]>
---

 net/tipc/name_distr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 39fd161..228ccfe 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -204,6 +204,7 @@ void tipc_named_node_up(unsigned long node)
 	}
 exit:
 	read_unlock_bh(&tipc_nametbl_lock);
+	kfree(buf);
 }
 
 /**



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux