[PATCH] fix memleak in sys_mq_timedsend

From: Chris Wright
Date: Tue May 04 2004 - 19:43:09 EST

Next message: Chris Wright: "[PATCH] fix queues_count accounting in mqueue_delete_inode()"
Previous message: Edgar Toernig: "Re: sigaction, fork, malloc, and futex"
Next in thread: Chris Wright: "[PATCH] fix queues_count accounting in mqueue_delete_inode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Move error handling to capture all three possible error conditions on
sending to a full queue. Without this fix any unprivileged user can
leak arbitrary amounts of kernel memory.

--- ./ipc/mqueue.c~fix_memleak 2004-05-04 15:08:52.000000000 -0700
+++ ./ipc/mqueue.c 2004-05-04 15:10:59.000000000 -0700
@@ -811,9 +811,9 @@ asmlinkage long sys_mq_timedsend(mqd_t m
wait.msg = (void *) msg_ptr;
wait.state = STATE_NONE;
ret = wq_sleep(info, SEND, timeout, &wait);
- if (ret < 0)
- free_msg(msg_ptr);
}
+ if (ret < 0)
+ free_msg(msg_ptr);
} else {
receiver = wq_get_first_waiter(info, RECV);
if (receiver) {

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[PATCH] fix queues_count accounting in mqueue_delete_inode()"
Previous message: Edgar Toernig: "Re: sigaction, fork, malloc, and futex"
Next in thread: Chris Wright: "[PATCH] fix queues_count accounting in mqueue_delete_inode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]