Skip to content

Commit c34186e

Browse files
Julia Lawalldavem330
Julia Lawall
authored and
davem330
committed
net/ipv4: Eliminate kstrdup memory leak
The string clone is only used as a temporary copy of the argument val within the while loop, and so it should be freed before leaving the function. The call to strsep, however, modifies clone, so a pointer to the front of the string is kept in saved_clone, to make it possible to free it. The sematic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ local idexpression x; expression E; identifier l; statement S; @@ *x= \(kasprintf\|kstrdup\)(...); ... if (x == NULL) S ... when != kfree(x) when != E = x if (...) { <... when != kfree(x) * goto l; ...> * return ...; } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 7e36873 commit c34186e

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

net/ipv4/tcp_cong.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -196,10 +196,10 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
196196
int tcp_set_allowed_congestion_control(char *val)
197197
{
198198
struct tcp_congestion_ops *ca;
199-
char *clone, *name;
199+
char *saved_clone, *clone, *name;
200200
int ret = 0;
201201

202-
clone = kstrdup(val, GFP_USER);
202+
saved_clone = clone = kstrdup(val, GFP_USER);
203203
if (!clone)
204204
return -ENOMEM;
205205

@@ -226,6 +226,7 @@ int tcp_set_allowed_congestion_control(char *val)
226226
}
227227
out:
228228
spin_unlock(&tcp_cong_list_lock);
229+
kfree(saved_clone);
229230

230231
return ret;
231232
}

0 commit comments

Comments
 (0)