[PATCH] Fix kfree bug in sendmsg and recvmsg

Joe Korty Wed, 17 Feb 2016 08:38:54 -0800

Fix kfree bug in recvmsg and sendmsg.

We cannot kfree(iov) when iov points to an array on the
stack, as that has the potential of corrupting memory.


So re-introduce the if-stmt that used to protect kfree
from this condition, code that was removed as part of
a larger set of changes made by git commit da184284.

Signed-off-by: Joe Korty <joe.ko...@ccur.com>

Index: b/net/socket.c
===================================================================
--- a/net/socket.c
+++ b/net/socket.c
@@ -1960,7 +1960,8 @@ out_freectl:
        if (ctl_buf != ctl)
                sock_kfree_s(sock->sk, ctl_buf, ctl_len);
 out_freeiov:
-       kfree(iov);
+       if (iov != iovstack)
+               kfree(iov);
        return err;
 }
 
@@ -2125,7 +2126,8 @@ static int ___sys_recvmsg(struct socket 
        err = len;
 
 out_freeiov:
-       kfree(iov);
+       if (iov != iovstack)
+               kfree(iov);
        return err;
 }

[PATCH] Fix kfree bug in sendmsg and recvmsg

Reply via email to