[systemd-devel] [PATCH 7/7] connection: fix user quota accounting corruption
Djalal Harouni
tixxdz at opendz.org
Thu Jul 24 13:12:07 PDT 2014
Hi,
It seems there is still another bug in the use/caculation of
conn->msg_users_max, will send another patch on top of this.
On Wed, Jul 23, 2014 at 10:19:11PM +0100, Djalal Harouni wrote:
> First use kzalloc to allocate the users array, so we do not reference
> unintialized values.
>
> And free the old conn->msg_users array not the newly allocated 'users'
> one.
>
> Patch tested, and users will hit the KDBUS_CONN_MAX_MSGS_PER_USER limit
> and fail with -ENOBUFS
>
> Signed-off-by: Djalal Harouni <tixxdz at opendz.org>
> ---
> connection.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/connection.c b/connection.c
> index c432286..a2ed645 100644
> --- a/connection.c
> +++ b/connection.c
> @@ -634,13 +634,13 @@ static int kdbus_conn_queue_user_quota(struct kdbus_conn *conn,
> unsigned int i;
>
> i = 8 + KDBUS_ALIGN8(user);
> - users = kmalloc(sizeof(unsigned int) * i, GFP_KERNEL);
> + users = kzalloc(sizeof(unsigned int) * i, GFP_KERNEL);
> if (!users)
> return -ENOMEM;
>
> memcpy(users, conn->msg_users,
> sizeof(unsigned int) * conn->msg_users_max);
> - kfree(users);
> + kfree(conn->msg_users);
> conn->msg_users = users;
> conn->msg_users_max = i;
> }
> --
> 1.9.3
>
--
Djalal Harouni
http://opendz.org
More information about the systemd-devel
mailing list