[PATCH] sctp: Fix sk_buff leak when receiving a datagram

From: Xiyu Yang
Date: Sat Jun 13 2020 - 08:40:14 EST

Next message: Mikulas Patocka: "Re: [PATCH] dm writecache: correct uncommitted_block when discarding uncommitted entry"
Previous message: Xiyu Yang: "[PATCH] drm/ttm: Fix dma_fence refcnt leak when adding move fence"
Next in thread: Neil Horman: "Re: [PATCH] sctp: Fix sk_buff leak when receiving a datagram"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In sctp_skb_recv_datagram(), the function fetch a sk_buff object from
the receiving queue to "skb" by calling skb_peek() or __skb_dequeue()
and return its reference to the caller.

However, when calling __skb_dequeue() successfully, the function forgets
to hold a reference count of the "skb" object and directly return it,
causing a potential memory leak in the caller function.

Fix this issue by calling refcount_inc after __skb_dequeue()
successfully executed.

Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
---
net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index d57e1a002ffc..4c8f0b83efd0 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8990,6 +8990,8 @@ struct sk_buff *sctp_skb_recv_datagram(struct sock *sk, int flags,
refcount_inc(&skb->users);
} else {
skb = __skb_dequeue(&sk->sk_receive_queue);
+ if (skb)
+ refcount_inc(&skb->users);
}

if (skb)
--
2.7.4

Next message: Mikulas Patocka: "Re: [PATCH] dm writecache: correct uncommitted_block when discarding uncommitted entry"
Previous message: Xiyu Yang: "[PATCH] drm/ttm: Fix dma_fence refcnt leak when adding move fence"
Next in thread: Neil Horman: "Re: [PATCH] sctp: Fix sk_buff leak when receiving a datagram"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]