tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

tipc: fix double-free in tipc_buf_append()

tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.

If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.

Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.

Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents")
Suggested-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Lee Jones and committed by
Jakub Kicinski d293ca71 864ba40c

+13 -1
+13 -1
net/tipc/msg.c
··· 177 177 178 178 if (fragid == LAST_FRAGMENT) { 179 179 TIPC_SKB_CB(head)->validated = 0; 180 - if (unlikely(!tipc_msg_validate(&head))) 180 + 181 + /* If the reassembled skb has been freed in 182 + * tipc_msg_validate() because of an invalid truesize, 183 + * then head will point to a newly allocated reassembled 184 + * skb, while *headbuf points to freed reassembled skb. 185 + * In such cases, correct *headbuf for freeing the newly 186 + * allocated reassembled skb later. 187 + */ 188 + if (unlikely(!tipc_msg_validate(&head))) { 189 + if (head != *headbuf) 190 + *headbuf = head; 181 191 goto err; 192 + } 193 + 182 194 *buf = head; 183 195 TIPC_SKB_CB(head)->tail = NULL; 184 196 *headbuf = NULL;