Skip to content

Commit

Permalink
ipv6: fix possible crashes in ip6_cork_release()
Browse files Browse the repository at this point in the history 
commit 0178b69 ("ipv6: Copy cork options in ip6_append_data")
added some code duplication and bad error recovery, leading to potential
crash in ip6_cork_release() as kfree() could be called with garbage.

use kzalloc() to make sure this wont happen.

Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: Hideaki YOSHIFUJI <[email protected]>
Cc: Neal Cardwell <[email protected]>
  • Loading branch information
@davem330
Eric Dumazet authored and davem330 committed May 18, 2013
1 parent 014be2c commit 284041e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/ipv6/ip6_output.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
if (WARN_ON(np->cork.opt))
return -EINVAL;

np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
if (unlikely(np->cork.opt == NULL))
return -ENOBUFS;

Expand Down

0 comments on commit 284041e

Please sign in to comment.