[tipc-discussion] [PATCH] Fix potential memory leak in tipc_named_node_up()

[Jesper Juhl]

There seems to be a memory leak in net/tipc/name_distr.c::tipc_named_node_up()

The function, with comments, is this :

void tipc_named_node_up(unsigned long node)
{
        struct publication *publ;
        struct distr_item *item = NULL;
        struct sk_buff *buf = NULL;
        u32 left = 0;
        u32 rest;
        u32 max_item_buf;

        read_lock_bh(&tipc_nametbl_lock);
        max_item_buf = TIPC_MAX_USER_MSG_SIZE / ITEM_SIZE;
        max_item_buf *= ITEM_SIZE;
        rest = publ_cnt * ITEM_SIZE;

        list_for_each_entry(publ, &publ_root, local_list) {
-----> If we stop processing here after doing 1, 2 & 3 below we end up at (4) 
(below).
                if (!buf) {
                        left = (rest <= max_item_buf) ? rest : max_item_buf;
                        rest -= left;
                        buf = named_prepare_buf(PUBLICATION, left, node);
-----> (1) here we allocate memory and store a pointer to it in 'buf'.

                        if (!buf) {
-----> (2) This test needs to fail, meaning we did allocate some memory.
                                warn("Bulk publication distribution failure\n");
                                goto exit;
                        }
                        item = (struct distr_item *)msg_data(buf_msg(buf));
                }
                publ_to_item(item, publ);
                item++;
                left -= ITEM_SIZE;
                if (!left) {
-----> (3) If this test fails we loop and do nothing to 'buf'.
                        msg_set_link_selector(buf_msg(buf), node);
                        dbg("tipc_named_node_up: sending publish msg to "
                            "<%u.%u.%u>\n", tipc_zone(node),
                            tipc_cluster(node), tipc_node(node));
                        tipc_link_send(buf, node, node);
                        buf = NULL;
                }
        }
exit:
        read_unlock_bh(&tipc_nametbl_lock);
-----> (4) here we return without freeing 'buf' - memory leak.
}

Luckily this is easy to fix, since we can only leave the function with 'buf'
either set to NULL or (in the leak case) set to a valid address, and since 
kfree() handles being passed NULL gracefully we can simply kfree(buf) just 
before we leave the function.

The patch below frees 'buf' before leaving the function, thus avoiding the 
potential leak.



Fix a potential memory leak in tipc_named_node_up()

Signed-off-by: Jesper Juhl <[EMAIL PROTECTED]>
---

 net/tipc/name_distr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 39fd161..228ccfe 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -204,6 +204,7 @@ void tipc_named_node_up(unsigned long node)
        }
 exit:
        read_unlock_bh(&tipc_nametbl_lock);
+       kfree(buf);
 }
 
 /**




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
tipc-discussion mailing list
tipc-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tipc-discussion