[PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg()

Dan Smith danms at us.ibm.com
Fri Aug 14 08:35:53 PDT 2009


The memcpy_from_iovec() function that the unix sendmsg functions use modifies
the struct msghdr.  Since the current code uses the msg.iovec_base pointer
in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong
pointer.  This patch stores the original address in a separate pointer and
corrects the kfree() call to use it.

Cc: serue at us.ibm.com
Signed-off-by: Dan Smith <danms at us.ibm.com>
---
 net/unix/checkpoint.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c
index 841d25d..65b7025 100644
--- a/net/unix/checkpoint.c
+++ b/net/unix/checkpoint.c
@@ -118,6 +118,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 {
 	struct msghdr msg;
 	struct kvec kvec;
+	void *buf;
 	int ret = 0;
 	int len;
 
@@ -134,8 +135,9 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 	}
 
 	kvec.iov_len = len;
-	kvec.iov_base = kmalloc(len, GFP_KERNEL);
-	if (!kvec.iov_base)
+	buf = kmalloc(len, GFP_KERNEL);
+	kvec.iov_base = buf;
+	if (!buf)
 		return -ENOMEM;
 
 	ret = ckpt_kread(ctx, kvec.iov_base, len);
@@ -147,7 +149,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 	if ((ret > 0) && (ret != len))
 		ret = -ENOMEM;
  out:
-	kfree(kvec.iov_base);
+	kfree(buf);
 
 	return ret;
 }
-- 
1.6.2.5



More information about the Containers mailing list