Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 297049 Details for
Bug 436067
NULL pointer dereference at sctp_datamsg_put
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
cleaned up version of patch
sctp.patch (text/plain), 4.37 KB, created by
Neil Horman
on 2008-03-06 13:58:11 UTC
(
hide
)
Description:
cleaned up version of patch
Filename:
MIME Type:
Creator:
Neil Horman
Created:
2008-03-06 13:58:11 UTC
Size:
4.37 KB
patch
obsolete
>diff -up linux-2.6.18.noarch/net/sctp/sm_make_chunk.c.orig linux-2.6.18.noarch/net/sctp/sm_make_chunk.c >--- linux-2.6.18.noarch/net/sctp/sm_make_chunk.c.orig 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18.noarch/net/sctp/sm_make_chunk.c 2008-03-06 07:53:33.000000000 -0500 >@@ -1093,6 +1093,38 @@ nodata: > /* Release the memory occupied by a chunk. */ > static void sctp_chunk_destroy(struct sctp_chunk *chunk) > { >+ struct sctp_sock *sp; >+ int notify; >+ struct sctp_ulpevent *ev; >+ int error = 0; >+ >+ if (chunk->msg) { >+ notify = chunk->msg->send_failed ? -1 : 0; >+ if (notify < 0) { >+ if (chunk->msg->send_error) >+ error = chunk->msg->send_error; >+ else >+ error = chunk->asoc->outqueue.error; >+ >+ sp = sctp_sk(chunk->asoc->base.sk); >+ notify = sctp_ulpevent_type_enabled(SCTP_SEND_FAILED, >+ &sp->subscribe); >+ } >+ >+ if (notify > 0) { >+ int sent; >+ if (chunk->has_tsn) >+ sent = SCTP_DATA_SENT; >+ else >+ sent = SCTP_DATA_UNSENT; >+ >+ ev = sctp_ulpevent_make_send_failed(chunk->asoc, >+ chunk, sent, error, GFP_ATOMIC); >+ if (ev) >+ sctp_ulpq_tail_event(&chunk->asoc->ulpq, ev); >+ } >+ } >+ > /* Free the chunk skb data and the SCTP_chunk stub itself. */ > dev_kfree_skb(chunk->skb); > >@@ -1103,14 +1135,18 @@ static void sctp_chunk_destroy(struct sc > /* Possibly, free the chunk. */ > void sctp_chunk_free(struct sctp_chunk *chunk) > { >+ struct sctp_datamsg *msg = chunk->msg; >+ > BUG_ON(!list_empty(&chunk->list)); > list_del_init(&chunk->transmitted_list); >+ list_del_init(&chunk->frag_list); >+ >+ sctp_chunk_put(chunk); > > /* Release our reference on the message tracker. */ >- if (chunk->msg) >- sctp_datamsg_put(chunk->msg); >+ if (msg) >+ sctp_datamsg_put(msg); > >- sctp_chunk_put(chunk); > } > > /* Grab a reference to the chunk. */ >diff -up linux-2.6.18.noarch/net/sctp/chunk.c.orig linux-2.6.18.noarch/net/sctp/chunk.c >--- linux-2.6.18.noarch/net/sctp/chunk.c.orig 2006-09-19 23:42:06.000000000 -0400 >+++ linux-2.6.18.noarch/net/sctp/chunk.c 2008-03-06 08:53:10.000000000 -0500 >@@ -75,50 +75,8 @@ SCTP_STATIC struct sctp_datamsg *sctp_da > /* Final destructruction of datamsg memory. */ > static void sctp_datamsg_destroy(struct sctp_datamsg *msg) > { >- struct list_head *pos, *temp; >- struct sctp_chunk *chunk; >- struct sctp_sock *sp; >- struct sctp_ulpevent *ev; >- struct sctp_association *asoc = NULL; >- int error = 0, notify; >- >- /* If we failed, we may need to notify. */ >- notify = msg->send_failed ? -1 : 0; >- >- /* Release all references. */ >- list_for_each_safe(pos, temp, &msg->chunks) { >- list_del_init(pos); >- chunk = list_entry(pos, struct sctp_chunk, frag_list); >- /* Check whether we _really_ need to notify. */ >- if (notify < 0) { >- asoc = chunk->asoc; >- if (msg->send_error) >- error = msg->send_error; >- else >- error = asoc->outqueue.error; >- >- sp = sctp_sk(asoc->base.sk); >- notify = sctp_ulpevent_type_enabled(SCTP_SEND_FAILED, >- &sp->subscribe); >- } >- >- /* Generate a SEND FAILED event only if enabled. */ >- if (notify > 0) { >- int sent; >- if (chunk->has_tsn) >- sent = SCTP_DATA_SENT; >- else >- sent = SCTP_DATA_UNSENT; >- >- ev = sctp_ulpevent_make_send_failed(asoc, chunk, sent, >- error, GFP_ATOMIC); >- if (ev) >- sctp_ulpq_tail_event(&asoc->ulpq, ev); >- } >- >- sctp_chunk_put(chunk); >- } >- >+ /* Make sure references are released */ >+ BUG_ON(!list_empty(&msg->chunks)); > SCTP_DBG_OBJCNT_DEC(datamsg); > kfree(msg); > } >@@ -153,8 +111,17 @@ void sctp_datamsg_track(struct sctp_chun > /* Assign a chunk to this datamsg. */ > static void sctp_datamsg_assign(struct sctp_datamsg *msg, struct sctp_chunk *chunk) > { >+ struct list_head *pos, *temp; >+ struct sctp_chunk *frag_chunk; >+ > sctp_datamsg_hold(msg); > chunk->msg = msg; >+ list_for_each_safe(pos, temp, &chunk->frag_list) { >+ frag_chunk = list_entry(pos, struct sctp_chunk, frag_list); >+ chunk->msg = msg; >+ sctp_datamsg_hold(msg); >+ } >+ list_add_tail(&chunk->frag_list, &msg->chunks); > } > > >@@ -242,7 +209,6 @@ struct sctp_datamsg *sctp_datamsg_from_u > - (__u8 *)chunk->skb->data); > > sctp_datamsg_assign(msg, chunk); >- list_add_tail(&chunk->frag_list, &msg->chunks); > > /* The first chunk, the first chunk was likely short > * to allow bundling, so reset to full size. >@@ -272,7 +238,6 @@ struct sctp_datamsg *sctp_datamsg_from_u > goto errout; > > sctp_datamsg_assign(msg, chunk); >- list_add_tail(&chunk->frag_list, &msg->chunks); > } > > return msg;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=297049">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 436067
:
296925
|
297049
|
297108
|
297214
|
297967