提交 83b96586 编写于 作者: K Krishna Kumar 提交者: Roland Dreier

RDMA/iwcm: Fix memory leak

If we get IW_CM_EVENT_CONNECT_REQUEST message and encounter an error
(not in the LISTEN state, cannot create an id, cannot alloc
work_entry, etc), then the memory allocated by cm_event_handler() in
the event->private_data gets leaked. Since cm_work_handler has already
put the event on the work_free_list, this allocated memory is
leaked. High backlog value can allow DoS attacks.
Signed-off-by: NKrishna Kumar <krkumar2@in.ibm.com>
Acked-by: NSteve Wise <swise@opengridcomputing.com>
Signed-off-by: NRoland Dreier <rolandd@cisco.com>
上级 33ba0fa9
......@@ -619,7 +619,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
spin_lock_irqsave(&listen_id_priv->lock, flags);
if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
return;
goto out;
}
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
......@@ -628,7 +628,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
listen_id_priv->id.context);
/* If the cm_id could not be created, ignore the request */
if (IS_ERR(cm_id))
return;
goto out;
cm_id->provider_data = iw_event->provider_data;
cm_id->local_addr = iw_event->local_addr;
......@@ -641,7 +641,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
if (ret) {
iw_cm_reject(cm_id, NULL, 0);
iw_destroy_cm_id(cm_id);
return;
goto out;
}
/* Call the client CM handler */
......@@ -653,6 +653,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
kfree(cm_id);
}
out:
if (iw_event->private_data_len)
kfree(iw_event->private_data);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册