[openib-general] [Fwd: [PATCH] RDMA/iwcm: Fix memory leak]

Steve WIse Thu, 09 Nov 2006 14:54:37 -0800

Roland,

This fix looks good.  IMO it's not high priority for 2.6.19, so 2.6.20
is fine.  If anyone thinks otherwise, hollar...




Acked-by: Steve Wise <[EMAIL PROTECTED]>

-------- Forwarded Message --------
From: Krishna Kumar <[EMAIL PROTECTED]>
To: openib-general@openib.org
Subject: [openib-general] [PATCH] RDMA/iwcm: Fix memory leak
Date: Thu, 09 Nov 2006 09:30:41 +0530

If we get IW_CM_EVENT_CONNECT_REQUEST message and
encounter an error (not in the LISTEN state, cannot
create an id, cannot alloc work_entry, etc), then
the memory allocated by cm_event_handler() in the
event->private_data gets leaked. Since cm_work_handler
has already put the event on the work_free_list, this
allocated memory is leaked. High backlog value can
allow DoS attacks.

Signed-off-by: Krishna Kumar <[EMAIL PROTECTED]>
---
diff -ruNp org/drivers/infiniband/core/iwcm.c new/drivers/infiniband/core/iwcm.c
--- org/drivers/infiniband/core/iwcm.c  2006-10-09 16:40:04.000000000 +0530
+++ new/drivers/infiniband/core/iwcm.c  2006-10-09 16:52:03.000000000 +0530
@@ -620,7 +620,7 @@ static void cm_conn_req_handler(struct i
        spin_lock_irqsave(&listen_id_priv->lock, flags);
        if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
                spin_unlock_irqrestore(&listen_id_priv->lock, flags);
-               return;
+               goto out;
        }
        spin_unlock_irqrestore(&listen_id_priv->lock, flags);
 
@@ -629,7 +629,7 @@ static void cm_conn_req_handler(struct i
                                listen_id_priv->id.context);
        /* If the cm_id could not be created, ignore the request */
        if (IS_ERR(cm_id))
-               return;
+               goto out;
 
        cm_id->provider_data = iw_event->provider_data;
        cm_id->local_addr = iw_event->local_addr;
@@ -642,7 +642,7 @@ static void cm_conn_req_handler(struct i
        if (ret) {
                iw_cm_reject(cm_id, NULL, 0);
                iw_destroy_cm_id(cm_id);
-               return;
+               goto out;
        }
 
        /* Call the client CM handler */
@@ -654,6 +654,7 @@ static void cm_conn_req_handler(struct i
                        kfree(cm_id);
        }
 
+out:
        if (iw_event->private_data_len)
                kfree(iw_event->private_data);
 }

_______________________________________________
openib-general mailing list
openib-general@openib.org
http://openib.org/mailman/listinfo/openib-general

To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general



_______________________________________________
openib-general mailing list
openib-general@openib.org
http://openib.org/mailman/listinfo/openib-general

To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general

[openib-general] [Fwd: [PATCH] RDMA/iwcm: Fix memory leak]

Reply via email to