[PATCH] [bridge] Fix double-free in br_add_if.

From: Jeff Hansen
Date: Fri Sep 25 2009 - 16:25:30 EST


There is a potential double-kfree in net/bridge/br_if.c. If br_fdb_insert
fails, then the kobject is put back (which calls kfree due to the kobject
release), and then kfree is called again on the net_bridge_port. This
patch fixes the crash.

Signed-off-by: Jeff Hansen <x@xxxxxxxxxxxxxx>
---
net/bridge/br_if.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index eb404dc..1becec1 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -368,7 +368,7 @@ done:
int br_add_if(struct net_bridge *br, struct net_device *dev)
{
struct net_bridge_port *p;
- int err = 0;
+ int err = 0, kobj_initted = 0;

if (dev->flags & IFF_LOOPBACK || dev->type != ARPHRD_ETHER)
return -EINVAL;
@@ -391,6 +391,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
SYSFS_BRIDGE_PORT_ATTR);
if (err)
goto err0;
+ kobj_initted = 1;

err = br_fdb_insert(br, p, dev->dev_addr);
if (err)
@@ -429,7 +430,8 @@ err0:
dev_set_promiscuity(dev, -1);
put_back:
dev_put(dev);
- kfree(p);
+ if (!kobj_initted)
+ kfree(p);
return err;
}

--
1.6.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html