[patch] 2.5.73bk - leak in "recent" iptables

Francois Romieu (romieu@fr.zoreil.com)
Wed, 25 Jun 2003 21:46:06 +0200

ip_recent_ctrl(): locally allocated variables aren't freed during error path.
No reference to these variables exists outside of ip_recent_ctrl().

<remark>
module already used both "if(foo)" and "if (foo)" before the change.
</remark>

net/ipv4/netfilter/ipt_recent.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)

diff -puN net/ipv4/netfilter/ipt_recent.c~janitor-leak-iptables-recent net/ipv4/netfilter/ipt_recent.c
--- linux-2.5.73-1.1348.16.4-to-1.1448/net/ipv4/netfilter/ipt_recent.c~janitor-leak-iptables-recent Wed Jun 25 21:17:10 2003
+++ linux-2.5.73-1.1348.16.4-to-1.1448-fr/net/ipv4/netfilter/ipt_recent.c Wed Jun 25 21:27:48 2003
@@ -300,9 +300,15 @@ static int ip_recent_ctrl(struct file *f
info->name[IPT_RECENT_NAME_LEN-1] = '\0';

skb = kmalloc(sizeof(struct sk_buff),GFP_KERNEL);
- if(!skb) { return -ENOMEM; }
+ if (!skb) {
+ used = -ENOMEM;
+ goto out_free_info;
+ }
skb->nh.iph = kmalloc(sizeof(struct iphdr),GFP_KERNEL);
- if(!skb->nh.iph) { return -ENOMEM; }
+ if (!skb->nh.iph) {
+ used = -ENOMEM;
+ goto out_free_skb;
+ }

skb->nh.iph->saddr = addr;
skb->nh.iph->daddr = 0;
@@ -311,7 +317,9 @@ static int ip_recent_ctrl(struct file *f
match(skb,NULL,NULL,info,0,NULL);

kfree(skb->nh.iph);
+out_free_skb:
kfree(skb);
+out_free_info:
kfree(info);

#ifdef DEBUG

_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/