From: "Michal Ruzicka" <michal.ruzicka@comstar.cz>
To: <davem@davemloft.net>, <kuznet@ms2.inr.ac.ru>
Cc: <netdev@vger.kernel.org>
Subject: Possible leak of multicast source filter sctructure
Date: Thu, 10 Aug 2006 14:07:06 +0200 [thread overview]
Message-ID: <019901c6bc75$872ee1f0$2303a8c0@mruzicka> (raw)
In-Reply-To: 44DB0870.6000902@tcs.hut.fi
[-- Attachment #1: Type: text/plain, Size: 1610 bytes --]
Hi all!
It seems to me that there is a leak of struct ip_sf_socklist in the
ip_mc_drop_socket function (in net/ipv4/igmp.c) which is called on socket
close.
This patch corrects it:
diff -Naur linux-2.6.17.8.orig/net/ipv4/igmp.c
linux-2.6.17.8/net/ipv4/igmp.c
--- linux-2.6.17.8.orig/net/ipv4/igmp.c 2006-08-07 06:18:54.000000000 +0200
+++ linux-2.6.17.8/net/ipv4/igmp.c 2006-08-10 10:38:04.000000000 +0200
@@ -2206,9 +2206,10 @@
(void) ip_mc_leave_src(sk, iml, in_dev);
ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
in_dev_put(in_dev);
- }
- sock_kfree_s(sk, iml, sizeof(*iml));
+ } else if (iml->sflist != NULL)
+ sock_kfree_s(sk, iml->sflist, IP_SFLSIZE(iml->sflist->sl_max));
+ sock_kfree_s(sk, iml, sizeof(*iml));
}
rtnl_unlock();
}
The leak only happens if there are some multicast source filters set on a
socket wich are bound to an interface that does not exist any more, as in
the following scenario:
1. create a temporary interface (say GRE tunnel)
3. join a multicast group an set a source filter on the temporary interface
via MCAST_JOIN_SOURCE_GROUP setsockopt call
4. destroy the temporary interface
5. close the socket
This sequence of things eventually leads to a call of ip_mc_drop_socket
function, which fails to free the soucre filter structure ip_sf_socklist
pointed to from members of socket's multicast addresses list. This structure
is normally freed in ip_mc_leave_src function but this function is not
called in this scenario because the interface that the multicast group is
joined on does not exist any more.
Thanks
Michal Ruzicka
[-- Attachment #2: linux-2.6.17.8-mc_sf_leak.patch --]
[-- Type: application/octet-stream, Size: 609 bytes --]
diff -Naur linux-2.6.17.8.orig/net/ipv4/igmp.c linux-2.6.17.8/net/ipv4/igmp.c
--- linux-2.6.17.8.orig/net/ipv4/igmp.c 2006-08-07 06:18:54.000000000 +0200
+++ linux-2.6.17.8/net/ipv4/igmp.c 2006-08-10 10:38:04.000000000 +0200
@@ -2206,9 +2206,10 @@
(void) ip_mc_leave_src(sk, iml, in_dev);
ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
in_dev_put(in_dev);
- }
- sock_kfree_s(sk, iml, sizeof(*iml));
+ } else if (iml->sflist != NULL)
+ sock_kfree_s(sk, iml->sflist, IP_SFLSIZE(iml->sflist->sl_max));
+ sock_kfree_s(sk, iml, sizeof(*iml));
}
rtnl_unlock();
}
next prev parent reply other threads:[~2006-08-10 12:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-09 10:56 [RFC] [GIT PATCH] IPv6 Routing / Ndisc Fixes YOSHIFUJI Hideaki / 吉藤英明
[not found] ` <44D9D431.10101@tcs.hut.fi>
2006-08-09 21:37 ` Ville Nuorvala
2006-08-10 8:46 ` YOSHIFUJI Hideaki / 吉藤英明
2006-08-10 10:20 ` Ville Nuorvala
2006-08-10 12:07 ` Michal Ruzicka [this message]
2006-08-10 12:12 ` Possible leak of multicast source filter sctructure David Miller
2006-08-10 12:13 ` David Miller
2006-08-10 18:07 ` David Stevens
2006-08-23 11:08 ` multicast group memberships purge on interface delete Michal Ruzicka
2006-08-23 12:32 ` jamal
2006-08-23 13:29 ` Michal Růžička
2006-08-23 14:48 ` jamal
2006-08-23 18:51 ` David Stevens
2006-08-24 0:40 ` [RFC] [GIT PATCH] IPv6 Routing / Ndisc Fixes David Miller
[not found] ` <44DA274C.30205@tcs.hut.fi>
2006-08-10 0:05 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2006-08-11 11:04 Possible leak of multicast source filter sctructure Michal Ruzicka
2006-08-14 3:44 ` David Miller
2006-08-14 22:07 ` David Stevens
2006-08-15 7:21 ` David Miller
2006-08-14 10:56 Michal Ruzicka
2006-08-17 12:26 Michal Ruzicka
2006-08-17 15:26 ` David Stevens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='019901c6bc75$872ee1f0$2303a8c0@mruzicka' \
--to=michal.ruzicka@comstar.cz \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox