diff for duplicates of <20190607124813.GA3436@localhost.localdomain> diff --git a/a/1.txt b/N1/1.txt index 9d5ab2f..04224ad 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -56,7 +56,7 @@ On Fri, Jun 07, 2019 at 06:56:39AM -0400, Neil Horman wrote: > > > > This's not gonna happen, as after processing INIT, the temp asoc will be > > > > deleted on the server side. Besides, from the reproducer: > > > > -> > > > https://syzkaller.appspot.com/x/repro.syz?x\x10e32f8ca00000 +> > > > https://syzkaller.appspot.com/x/repro.syz?x=10e32f8ca00000 > > > > > > > > Packet(INIT|COOKIE_ECHO) can't be made in here. > > > > @@ -143,7 +143,8 @@ Xin? > > > > > > > > @@ -881,6 +893,18 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds, > > > > asoc->rto_initial; -> > > > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] > > > > asoc->rto_initial; +> > > > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] = +> > > > asoc->rto_initial; > > > > + > > > > + if (asoc->peer.cookie) { > > > > + kfree(asoc->peer.cookie); @@ -212,7 +213,8 @@ Xin? > > > > > * advertised window). > > > > > @@ -2607,7 +2598,9 @@ static int sctp_process_param(struct sctp_association *asoc, > > > > > case SCTP_PARAM_STATE_COOKIE: -> > > > > asoc->peer.cookie_len > > > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr); +> > > > > asoc->peer.cookie_len = +> > > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr); > > > > > - asoc->peer.cookie = param.cookie->body; > > > > > + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp); > > > > > + if (!asoc->peer.cookie) diff --git a/a/content_digest b/N1/content_digest index 591f7b6..89bffa1 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -6,7 +6,7 @@ "ref\020190607105639.GB26017@hmswarspite.think-freely.org\0" "From\0Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\0" "Subject\0Re: [PATCH V2] Fix memory leak in sctp_process_init\0" - "Date\0Fri, 07 Jun 2019 12:48:13 +0000\0" + "Date\0Fri, 7 Jun 2019 09:48:13 -0300\0" "To\0Neil Horman <nhorman@tuxdriver.com>\0" "Cc\0Xin Long <lucien.xin@gmail.com>" linux-sctp@vger.kernel.org @@ -73,7 +73,7 @@ "> > > > This's not gonna happen, as after processing INIT, the temp asoc will be\n" "> > > > deleted on the server side. Besides, from the reproducer:\n" "> > > > \n" - "> > > > https://syzkaller.appspot.com/x/repro.syz?x\020e32f8ca00000\n" + "> > > > https://syzkaller.appspot.com/x/repro.syz?x=10e32f8ca00000\n" "> > > > \n" "> > > > Packet(INIT|COOKIE_ECHO) can't be made in here.\n" "> > > > \n" @@ -160,7 +160,8 @@ "> > > > \n" "> > > > @@ -881,6 +893,18 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds,\n" "> > > > asoc->rto_initial;\n" - "> > > > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] > > > > asoc->rto_initial;\n" + "> > > > asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] =\n" + "> > > > asoc->rto_initial;\n" "> > > > +\n" "> > > > + if (asoc->peer.cookie) {\n" "> > > > + kfree(asoc->peer.cookie);\n" @@ -229,7 +230,8 @@ "> > > > > * advertised window).\n" "> > > > > @@ -2607,7 +2598,9 @@ static int sctp_process_param(struct sctp_association *asoc,\n" "> > > > > case SCTP_PARAM_STATE_COOKIE:\n" - "> > > > > asoc->peer.cookie_len > > > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);\n" + "> > > > > asoc->peer.cookie_len =\n" + "> > > > > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);\n" "> > > > > - asoc->peer.cookie = param.cookie->body;\n" "> > > > > + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);\n" "> > > > > + if (!asoc->peer.cookie)\n" @@ -260,4 +262,4 @@ "> > > \n" > > -4de7a61ce2993afb32a00d77058a034c4ae6f2a1795b644942fc102597046165 +cfc129870b801ac05001833bedd74ad7e0d365ca35bd354be2a1003298020eef
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.