Commit 02ad8175 authored Jun 04, 2024 by Xin Long Committed by Zhengchao Shao Jun 04, 2024

tipc: fix a possible memleak in tipc_buf_append

stable inclusion
from stable-v5.10.217
commit adbce6d20da6254c86425a8d4359b221b5ccbccd
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9US4T
CVE: CVE-2024-36954

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=adbce6d20da6254c86425a8d4359b221b5ccbccd



--------------------------------

[ Upstream commit 97bf6f81b29a8efaf5d0983251a7450e5794370d ]

__skb_linearize() doesn't free the skb when it fails, so move
'*buf = NULL' after __skb_linearize(), so that the skb can be
freed on the err path.

Fixes: b7df21cf ("tipc: skb_linearize the head skb when reassembling msgs")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent 83e8197d

net/tipc/msg.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -148,9 +148,9 @@ int tipc_buf_append(struct sk_buff headbuf, struct sk_buff buf)
		if (fragid == FIRST_FRAGMENT) {
		if (unlikely(head))
		goto err;
		*buf = NULL;
		if (skb_has_frag_list(frag) && __skb_linearize(frag))
		goto err;
		*buf = NULL;
		frag = skb_unshare(frag, GFP_ATOMIC);
		if (unlikely(!frag))
		goto err;