提交 1b384524 编写于 作者: Y YueHaibing 提交者: Shile Zhang

dccp: Fix memleak in __feat_register_sp

commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream.

[ Fixes: CVE-2019-20096 ]

If dccp_feat_push_change fails, we forget free the mem
which is alloced by kmemdup in dccp_feat_clone_sp_val.
Reported-by: NHulk Robot <hulkci@huawei.com>
Fixes: e8ef967a ("dccp: Registration routines for changing feature values")
Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NBen Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NShile Zhang <shile.zhang@linux.alibaba.com>
Acked-by: NCaspar Zhang <caspar@linux.alibaba.com>
上级 0a811926
...@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local, ...@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len)) if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
return -ENOMEM; return -ENOMEM;
return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval); if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
kfree(fval.sp.vec);
return -ENOMEM;
}
return 0;
} }
/** /**
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册