Re: [PATCH v2 1/1] tipc: fix double-free in tipc_buf_append()

Next message: Matthew Brost: "Re: [PATCH v2 1/5] mm: Introduce zone_appears_fragmented()"
Previous message: Mario Limonciello: "Re: [RFC PATCH v2 4/5] x86/amd_node: Add smn_set_roots() and smn_activate() for external SMN registration"
In reply to: Tung Quang Nguyen: "RE: [PATCH v2 1/1] tipc: fix double-free in tipc_buf_append()"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v2 1/1] tipc: fix double-free in tipc_buf_append()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Thu Apr 23 2026 - 15:14:24 EST

On Tue, Apr 21, 2026 at 01:45:26PM +0100, Lee Jones wrote:
> tipc_msg_validate() can potentially reallocate the skb it is validating,
> freeing the old one. In tipc_buf_append(), it was being called with a
> pointer to a local variable which was a copy of the caller's skb
> pointer.
>
> If the skb was reallocated and validation subsequently failed, the error
> handling path would free the original skb pointer, which had already
> been freed, leading to double-free.
>
> Fix this by checking if head now points to a newly allocated reassembled
> skb. If it does, reassign *headbuf for later freeing operations.
>
> Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents")
> Suggested-by: Tung Nguyen <tung.quang.nguyen@xxxxxxxx>
> Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
> ---
> 1v => v2: Keep the passed pointer type the same, but reassign on-change

FTR: Sashiko has generated a review of this patch which I have examined.
I do not believe that review should halt progress of this patch
as it appears that the problem flagged pre-dates this patch. Actually,
its unclear to me if it is a problem that warrants addressing at all.
But I'd appreciate if it could be looked over as a follow-up task.