Quoting r. Roland Dreier <[EMAIL PROTECTED]>:
> Subject: Re: [PATCH] ipoib_mcast_restart_task
>
> Michael> The mcast pointer comes from stack. Surely we could have
> Michael> use after free in ipoib_mcast_join_complete trigger data
> Michael> corruption on stack and then trip on it?
>
> Now you're confusing me. Isn't the mcast pointer kmalloc()ed?
Sorry about that.
I think the memory *it points to* is kmalloc()ed - the
the pointer itself I think comes from stack.
static void
ipoib_mcast_sendonly_join_complete(int status,
struct ib_sa_mcmember_rec *mcmember,
void *mcast_ptr)
{
struct ipoib_mcast *mcast = mcast_ptr;
struct net_device *dev = mcast->dev;
So all I had in mind was obvious things like:
Assume that you have mcast point to random kernel data.
doing things like skb_dequeue(&mcast->pkt_queue) will now do random things
to random memory locations, it could be stack or anything else.
--
MST
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
