[systemd-devel] [PATCH v2 6/7] connection: fix user quota accounting corruption

Djalal Harouni tixxdz at opendz.org
Wed Jul 30 13:11:57 PDT 2014


First use kzalloc to allocate the users array, so we do not reference
unintialized values.

And free the old conn->msg_users array not the newly allocated 'users'
one.

Patch tested, and users will hit the KDBUS_CONN_MAX_MSGS_PER_USER limit
and fail with -ENOBUFS

Signed-off-by: Djalal Harouni <tixxdz at opendz.org>
---
 connection.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/connection.c b/connection.c
index 8838029..3cd84ce 100644
--- a/connection.c
+++ b/connection.c
@@ -636,13 +636,13 @@ static int kdbus_conn_queue_user_quota(struct kdbus_conn *conn,
 		unsigned int i;
 
 		i = 8 + KDBUS_ALIGN8(user);
-		users = kmalloc(sizeof(unsigned int) * i, GFP_KERNEL);
+		users = kzalloc(sizeof(unsigned int) * i, GFP_KERNEL);
 		if (!users)
 			return -ENOMEM;
 
 		memcpy(users, conn->msg_users,
 		       sizeof(unsigned int) * conn->msg_users_max);
-		kfree(users);
+		kfree(conn->msg_users);
 		conn->msg_users = users;
 		conn->msg_users_max = i;
 	}
-- 
1.9.3



More information about the systemd-devel mailing list