Bug 6187
| Summary: | netlink: possible use after free in netlink_recvmsg | ||
|---|---|---|---|
| Product: | Networking | Reporter: | Bryan O'Sullivan (bos) |
| Component: | Other | Assignee: | Arnaldo Carvalho de Melo (acme) |
| Status: | CLOSED PATCH_ALREADY_AVAILABLE | ||
| Severity: | normal | CC: | protasnb |
| Priority: | P2 | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.16-git | Subsystem: | |
| Regression: | --- | Bisected commit-id: | |
|
Description
Bryan O'Sullivan
2006-03-07 16:29:37 UTC
bugme-daemon@bugzilla.kernel.org wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=6187 > > Summary: netlink: possible use after free in netlink_recvmsg > Kernel Version: 2.6.16-git > Status: NEW > Severity: normal > Owner: acme@conectiva.com.br > Submitter: bos@serpentine.com > > > Spotted by Coverity's checker. > > netlink_recvmsg calls netlink_cmsg_recv_pktinfo(msg, skb) on an skb that the > checker claims may already have been freed by the preceding call to > skb_free_datagram. > > It seems possible to me that this isn't a valid bug, because the refcount on the > skb may not permit it to ever get freed through this code path. > Bryan, There were several fixes, including this one submitted shortly after your report: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/netlink/af_netlink.c;h=59dc7d140600d95ec10a495beaed0f37f4f390e5;hp=6b9772d95872245b71cd305eda34f57335ac406c;hb=cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85;hpb=f8dc01f543f28253abeef649987249210d8db3cc Have you tested with later kernels, does it work now? Thanks. Closing the bug. Please reopen if still happens with newest kernel. |