[tipc-discussion] [net v3 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Tung Nguyen
Commit ed42989eab57 ("tipc: fix the skb_unshare() in tipc_buf_append()") replaced skb_unshare() with skb_copy() to not reduce the data reference counter of the original skb intentionally. This is not the correct way to handle the cloned skb because it causes memory leak in 2 following cases: 1/

[tipc-discussion] [net v3] tipc: add stricter control of reserved service types

2020-10-26 Thread jmaloy
From: Jon Maloy TIPC reserves 64 service types for current and future internal use. Therefore, the bind() function is meant to block regular user sockets from being bound to these values, while it should let through such bindings from internal users. However, since we at the design moment saw

Re: [tipc-discussion] [net v2] tipc: add stricter control of reserved service types

2020-10-26 Thread Xue, Ying
Hi Jon, I have one idea about how to block the vulnerability described below from happening. Although it's not so elegant, it's quite simple: As you mentioned below, TIPC_TOP_SRV service is only published in tipc_topsrv_create_listener () from kernel space. So probably we can change the code

[tipc-discussion] [net v2 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Tung Nguyen
Commit ed42989eab57 ("fix the skb_unshare() in tipc_buf_append()") replaced skb_unshare() with skb_copy() to not reduce the data reference counter of the original skb intentionally. This is not the correct way to handle the cloned skb because it causes memory leak in 2 following cases: 1/ Sending

[tipc-discussion] [net v1 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Tung Nguyen
Commit ed42989eab57 ("fix the skb_unshare() in tipc_buf_append()") replaced skb_unshare() with skb_copy() to not reduce the data reference counter of the original skb intentionally. This is not the correct way to handle the cloned skb because it causes memory leak in 2 following cases: 1/ Sending

Re: [tipc-discussion] [net v1 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Xin Long
On Mon, Oct 26, 2020 at 5:30 PM Tung Quang Nguyen wrote: > > Hi Xin, > > Yes, I know that it should not be a problem if skb_free(NULL) is called. > But I relied on your analysis for syzbot report: > " > in tipc_msg_reassemble(): > > if ((, )) > break; >

Re: [tipc-discussion] [net v1 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Tung Quang Nguyen
Hi Xin, Yes, I know that it should not be a problem if skb_free(NULL) is called. But I relied on your analysis for syzbot report: " in tipc_msg_reassemble(): if ((, )) break; if (!head) goto error; <--- [1] }

Re: [tipc-discussion] [net v1 1/1] tipc: fix memory leak caused by tipc_buf_append()

2020-10-26 Thread Xin Long
On Fri, Oct 23, 2020 at 4:20 PM Tung Nguyen wrote: > > Commit ed42989eab57 ("fix the skb_unshare() in tipc_buf_append()") > replaced skb_unshare() with skb_copy() to not reduce the data reference > counter of the original skb intentionally. This is not the correct > way to handle the cloned skb