From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oren Laadan Subject: Re: [PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg() Date: Fri, 14 Aug 2009 16:21:34 -0400 Message-ID: <4A85C74E.1050906@librato.com> References: <1250264153-21697-1-git-send-email-danms@us.ibm.com> <20090814185145.GA5712@us.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20090814185145.GA5712-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org, Dan Smith List-Id: containers.vger.kernel.org Serge E. Hallyn wrote: > Quoting Dan Smith (danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org): >> The memcpy_from_iovec() function that the unix sendmsg functions use modifies >> the struct msghdr. Since the current code uses the msg.iovec_base pointer >> in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong >> pointer. This patch stores the original address in a separate pointer and >> corrects the kfree() call to use it. >> >> Cc: serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org >> Signed-off-by: Dan Smith > > Tested-by: Serge Hallyn Pulled. Oren.