[PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg()

Serge E. Hallyn serue at us.ibm.com
Fri Aug 14 11:51:45 PDT 2009


Quoting Dan Smith (danms at us.ibm.com):
> The memcpy_from_iovec() function that the unix sendmsg functions use modifies
> the struct msghdr.  Since the current code uses the msg.iovec_base pointer
> in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong
> pointer.  This patch stores the original address in a separate pointer and
> corrects the kfree() call to use it.
> 
> Cc: serue at us.ibm.com
> Signed-off-by: Dan Smith <danms at us.ibm.com>

Tested-by: Serge Hallyn <serue at us.ibm.com>

> ---
>  net/unix/checkpoint.c |    8 +++++---
>  1 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c
> index 841d25d..65b7025 100644
> --- a/net/unix/checkpoint.c
> +++ b/net/unix/checkpoint.c
> @@ -118,6 +118,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  {
>  	struct msghdr msg;
>  	struct kvec kvec;
> +	void *buf;
>  	int ret = 0;
>  	int len;
> 
> @@ -134,8 +135,9 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  	}
> 
>  	kvec.iov_len = len;
> -	kvec.iov_base = kmalloc(len, GFP_KERNEL);
> -	if (!kvec.iov_base)
> +	buf = kmalloc(len, GFP_KERNEL);
> +	kvec.iov_base = buf;
> +	if (!buf)
>  		return -ENOMEM;
> 
>  	ret = ckpt_kread(ctx, kvec.iov_base, len);
> @@ -147,7 +149,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  	if ((ret > 0) && (ret != len))
>  		ret = -ENOMEM;
>   out:
> -	kfree(kvec.iov_base);
> +	kfree(buf);
> 
>  	return ret;
>  }
> -- 
> 1.6.2.5


More information about the Containers mailing list