diff for duplicates of <20190606154754.GA3500@localhost.localdomain> diff --git a/a/1.txt b/N1/1.txt index 2419f0d..883e734 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -54,7 +54,7 @@ On Wed, Jun 05, 2019 at 07:20:10AM -0400, Neil Horman wrote: > > This's not gonna happen, as after processing INIT, the temp asoc will be > > deleted on the server side. Besides, from the reproducer: > > -> > https://syzkaller.appspot.com/x/repro.syz?x\x10e32f8ca00000 +> > https://syzkaller.appspot.com/x/repro.syz?x=10e32f8ca00000 > > > > Packet(INIT|COOKIE_ECHO) can't be made in here. > > @@ -129,7 +129,8 @@ Yet somehow the patch changed the dynamics and made the test pass (4x > > > > @@ -881,6 +893,18 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds, > > asoc->rto_initial; -> > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] > > asoc->rto_initial; +> > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] = +> > asoc->rto_initial; > > + > > + if (asoc->peer.cookie) { > > + kfree(asoc->peer.cookie); @@ -198,7 +199,8 @@ Yet somehow the patch changed the dynamics and made the test pass (4x > > > * advertised window). > > > @@ -2607,7 +2598,9 @@ static int sctp_process_param(struct sctp_association *asoc, > > > case SCTP_PARAM_STATE_COOKIE: -> > > asoc->peer.cookie_len > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr); +> > > asoc->peer.cookie_len = +> > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr); > > > - asoc->peer.cookie = param.cookie->body; > > > + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp); > > > + if (!asoc->peer.cookie) diff --git a/a/content_digest b/N1/content_digest index 42fcab6..dcefd35 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,7 +4,7 @@ "ref\020190605112010.GA554@hmswarspite.think-freely.org\0" "From\0Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\0" "Subject\0Re: [PATCH V2] Fix memory leak in sctp_process_init\0" - "Date\0Thu, 06 Jun 2019 15:47:55 +0000\0" + "Date\0Thu, 6 Jun 2019 12:47:55 -0300\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0Xin Long <lucien.xin@gmail.com>" linux-sctp@vger.kernel.org @@ -69,7 +69,7 @@ "> > This's not gonna happen, as after processing INIT, the temp asoc will be\n" "> > deleted on the server side. Besides, from the reproducer:\n" "> > \n" - "> > https://syzkaller.appspot.com/x/repro.syz?x\020e32f8ca00000\n" + "> > https://syzkaller.appspot.com/x/repro.syz?x=10e32f8ca00000\n" "> > \n" "> > Packet(INIT|COOKIE_ECHO) can't be made in here.\n" "> > \n" @@ -144,7 +144,8 @@ "> > \n" "> > @@ -881,6 +893,18 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds,\n" "> > asoc->rto_initial;\n" - "> > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] > > asoc->rto_initial;\n" + "> > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] =\n" + "> > asoc->rto_initial;\n" "> > +\n" "> > + if (asoc->peer.cookie) {\n" "> > + kfree(asoc->peer.cookie);\n" @@ -213,7 +214,8 @@ "> > > * advertised window).\n" "> > > @@ -2607,7 +2598,9 @@ static int sctp_process_param(struct sctp_association *asoc,\n" "> > > case SCTP_PARAM_STATE_COOKIE:\n" - "> > > asoc->peer.cookie_len > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);\n" + "> > > asoc->peer.cookie_len =\n" + "> > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);\n" "> > > - asoc->peer.cookie = param.cookie->body;\n" "> > > + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);\n" "> > > + if (!asoc->peer.cookie)\n" @@ -243,4 +245,4 @@ "> > \n" > -1ffada35bac622b91f84039a30cc4bf6592e41cf1ccfb1ed2bd7d1de07f91f91 +d514dd7dc11c5ea5e4cac16e1e6121896361cd2d36dc3327d6167966820df00c
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.