On Thu, Feb 4, 2016 at 6:23 AM, Eric Dumazet <eric.duma...@gmail.com> wrote:
> From: Eric Dumazet <eduma...@google.com>
>
> Dmitry reported memory leaks of IP options allocated in
> ip_cmsg_send() when/if this function returns an error.
>
> Callers are responsible for the freeing.
Right, because there is a loop in ip_cmsg_send(), so the callers
are easier to free it than the callee.
The other thing is we perhaps have another leak in the following code:
if (ipc.opt && ipc.opt->opt.srr) {
if (!daddr)
return -EINVAL;
faddr = ipc.opt->opt.faddr;
}
since ipc.opt could be allocated on heap... We need something like:
@@ -770,8 +770,11 @@ static int ping_v4_sendmsg(struct sock *sk,
struct msghdr *msg, size_t len)
ipc.addr = faddr = daddr;
if (ipc.opt && ipc.opt->opt.srr) {
- if (!daddr)
+ if (!daddr) {
+ if (free)
+ kfree(ipc.opt);
return -EINVAL;
+ }
faddr = ipc.opt->opt.faddr;
}
tos = get_rttos(&ipc, inet);
