RDMA/iwcm: Fix memory leak
authorKrishna Kumar <krkumar2@in.ibm.com>
Thu, 9 Nov 2006 04:00:41 +0000 (09:30 +0530)
committerRoland Dreier <rolandd@cisco.com>
Wed, 29 Nov 2006 23:33:07 +0000 (15:33 -0800)
If we get IW_CM_EVENT_CONNECT_REQUEST message and encounter an error
(not in the LISTEN state, cannot create an id, cannot alloc
work_entry, etc), then the memory allocated by cm_event_handler() in
the event->private_data gets leaked. Since cm_work_handler has already
put the event on the work_free_list, this allocated memory is
leaked. High backlog value can allow DoS attacks.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/core/iwcm.c

index 22d498c9a68bdf5dbaf07b05833dc45c47bffbe4..0cfd7848dd37f1971c5343ee59c9f06dc6933bcc 100644 (file)
@@ -619,7 +619,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
        spin_lock_irqsave(&listen_id_priv->lock, flags);
        if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
                spin_unlock_irqrestore(&listen_id_priv->lock, flags);
        spin_lock_irqsave(&listen_id_priv->lock, flags);
        if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
                spin_unlock_irqrestore(&listen_id_priv->lock, flags);
-               return;
+               goto out;
        }
        spin_unlock_irqrestore(&listen_id_priv->lock, flags);
 
        }
        spin_unlock_irqrestore(&listen_id_priv->lock, flags);
 
@@ -628,7 +628,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
                                listen_id_priv->id.context);
        /* If the cm_id could not be created, ignore the request */
        if (IS_ERR(cm_id))
                                listen_id_priv->id.context);
        /* If the cm_id could not be created, ignore the request */
        if (IS_ERR(cm_id))
-               return;
+               goto out;
 
        cm_id->provider_data = iw_event->provider_data;
        cm_id->local_addr = iw_event->local_addr;
 
        cm_id->provider_data = iw_event->provider_data;
        cm_id->local_addr = iw_event->local_addr;
@@ -641,7 +641,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
        if (ret) {
                iw_cm_reject(cm_id, NULL, 0);
                iw_destroy_cm_id(cm_id);
        if (ret) {
                iw_cm_reject(cm_id, NULL, 0);
                iw_destroy_cm_id(cm_id);
-               return;
+               goto out;
        }
 
        /* Call the client CM handler */
        }
 
        /* Call the client CM handler */
@@ -653,6 +653,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
                        kfree(cm_id);
        }
 
                        kfree(cm_id);
        }
 
+out:
        if (iw_event->private_data_len)
                kfree(iw_event->private_data);
 }
        if (iw_event->private_data_len)
                kfree(iw_event->private_data);
 }