Re: [PATCH] Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"

From: Eric Dumazet
Date: Mon Sep 13 2021 - 12:15:39 EST


On Sun, Sep 12, 2021 at 9:04 PM Yajun Deng <yajun.deng@xxxxxxxxx> wrote:
>
> This reverts commit 919483096bfe75dda338e98d56da91a263746a0a.
>
> There is only when ip_options_get() return zero need to free.
> It already called kfree() when return error.
>
> Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
> Signed-off-by: Yajun Deng <yajun.deng@xxxxxxxxx>
> ---

I do not think this is a valid patch, not sure why David has merged so
soon before us reviewing it ?

You are bringing back the memory leaks.

ip_cmsg_send() can loop over multiple cmsghdr()

If IP_RETOPTS has been successful, but following cmsghdr generates an error,
we do not free ipc.ok

If IP_RETOPTS is not successful, we have freed the allocated temporary space,
not the one currently in ipc.opt.

Can you share what your exact finding was, perhaps a syzbot repro ???

Thanks.