dccp: Fix memleak in __feat_register_sp

mainline inclusion from mainline-v5.1-rc4 commit 1d3ff0950e2b40dc861b1739029649d03f591820 category: bugfix bugzilla: 13690 CVE: CVE-2019-20096 ------------------------------------------------- If dccp_feat_push_change fails, we forget free the mem which is alloced by kmemdup in dccp_feat_clone_sp_val. Reported-by: N Hulk Robot <hulkci@huawei.com> Fixes: e8ef967a ("dccp: Registration routines for changing feature values") Reviewed-by: N Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: N YueHaibing <yuehaibing@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com>

dccp: Fix memleak in __feat_register_sp
mainline inclusion from mainline-v5.1-rc4 commit 1d3ff0950e2b40dc861b1739029649d03f591820 category: bugfix bugzilla: 13690 CVE: CVE-2019-20096 ------------------------------------------------- If dccp_feat_push_change fails, we forget free the mem which is alloced by kmemdup in dccp_feat_clone_sp_val. Reported-by: N Hulk Robot <hulkci@huawei.com> Fixes: e8ef967a ("dccp: Registration routines for changing feature values") Reviewed-by: N Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: N YueHaibing <yuehaibing@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com>
6df16fcb · YueHaibing · Yang Yingliang · 2236ae0d · 6df16fcb
显示空白变更内容
内联并排

Showing with 6 addition and 1 deletion

net/dccp/feat.c net/dccp/feat.c +6 -1

未找到文件。
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
 	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
 		return -ENOMEM;
-	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
+	if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
+		kfree(fval.sp.vec);
+		return -ENOMEM;
+	}
+	return 0;
 }
 /**