summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Eckelmann <sven@narfation.org>2015-08-18 14:37:01 +0300
committerDavid S. Miller <davem@davemloft.net>2015-08-19 05:08:23 +0300
commitfd7dec25a18f495e50d2040398fd263836ff3b28 (patch)
tree2f16bcbb872e72622506b36fe3e32c503bc78b29
parentff94c742dfeea3110f1e1d27399d728f8494d29e (diff)
downloadlinux-fd7dec25a18f495e50d2040398fd263836ff3b28.tar.xz
batman-adv: Fix memory leak on tt add with invalid vlan
The object tt_local is allocated with kmalloc and not initialized when the function batadv_tt_local_add checks for the vlan. But this function can only cleanup the object when the (not yet initialized) reference counter of the object is 1. This is unlikely and thus the object would leak when the vlan could not be found. Instead the uninitialized object tt_local has to be freed manually and the pointer has to set to NULL to avoid calling the function which would try to decrement the reference counter of the not existing object. CID: 1316518 Fixes: 354136bcc3c4 ("batman-adv: fix kernel crash due to missing NULL checks") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/batman-adv/translation-table.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 5e953297d3b2..5809b39c1922 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -595,8 +595,11 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
/* increase the refcounter of the related vlan */
vlan = batadv_softif_vlan_get(bat_priv, vid);
if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d",
- addr, BATADV_PRINT_VID(vid)))
+ addr, BATADV_PRINT_VID(vid))) {
+ kfree(tt_local);
+ tt_local = NULL;
goto out;
+ }
batadv_dbg(BATADV_DBG_TT, bat_priv,
"Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",