[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 02964) Re: ipv6/udp.c
In article <20040614.223741.24811433.chamas@xxxxxxxxxxxxx> (at Mon, 14 Jun 2004 22:37:41 +0900 (JST)), Ken-ichirou MATSUZAWA <chamas@xxxxxxxxxxxxx> says:
> I don't know detail, but is it right? in 2.6.6
>
> ---- net/ipv6/udp.c: udpv6_mcast_deliver ----
> if (buff)
> kfree_skb(buff);
> if (udpv6_queue_rcv_skb(sk, skb) < 0) {
> free_skb:
> kfree_skb(skb);
> }
> read_unlock(&udp_hash_lock);
> }
>
> ---- net/ipv6/udp.c: udpv6_queue_rcv_skb ----
> if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
> kfree_skb(skb);
> return -1;
> }
>
> ----
>
> It seems kfree_skb twice.
Good catch. Thanks.
David, please apply this patch.
Thanks.
D: [IPV6] IPSEC: fix double kfree_skb() in error path. (reported by Ken-ichirou MATSUZAWA <chamas@xxxxxxxxxxxxx>)
===== net/ipv6/udp.c 1.64 vs edited =====
--- 1.64/net/ipv6/udp.c 2004-06-10 05:39:26 +09:00
+++ edited/net/ipv6/udp.c 2004-06-14 23:44:44 +09:00
@@ -572,34 +572,26 @@
struct sk_buff *skb)
{
struct sock *sk, *sk2;
- struct sk_buff *buff;
int dif;
read_lock(&udp_hash_lock);
sk = sk_head(&udp_hash[ntohs(uh->dest) & (UDP_HTABLE_SIZE - 1)]);
dif = skb->dev->ifindex;
sk = udp_v6_mcast_next(sk, uh->dest, daddr, uh->source, saddr, dif);
- if (!sk)
- goto free_skb;
+ if (!sk) {
+ kfree_skb(skb);
+ goto out;
+ }
- buff = NULL;
sk2 = sk;
while ((sk2 = udp_v6_mcast_next(sk_next(sk2), uh->dest, daddr,
uh->source, saddr, dif))) {
- if (!buff) {
- buff = skb_clone(skb, GFP_ATOMIC);
- if (!buff)
- continue;
- }
- if (udpv6_queue_rcv_skb(sk2, buff) >= 0)
- buff = NULL;
- }
- if (buff)
- kfree_skb(buff);
- if (udpv6_queue_rcv_skb(sk, skb) < 0) {
-free_skb:
- kfree_skb(skb);
+ struct sk_buff *buff = skb_clone(skb, GFP_ATOMIC);
+ if (buff)
+ udpv6_queue_rcv_skb(sk2, buff);
}
+ udpv6_queue_rcv_skb(sk, skb);
+out:
read_unlock(&udp_hash_lock);
}
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@xxxxxxxxxxxxxx>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA