Commit bb241f20 authored by Chris Wright's avatar Chris Wright Committed by Linus Torvalds

[PATCH] fix memleak in sys_mq_timedsend

Move error handling to capture all three possible error conditions on
sending to a full queue.  Without this fix any unprivileged user can
leak arbitrary amounts of kernel memory.
parent 3078adde
...@@ -811,9 +811,9 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, ...@@ -811,9 +811,9 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
wait.msg = (void *) msg_ptr; wait.msg = (void *) msg_ptr;
wait.state = STATE_NONE; wait.state = STATE_NONE;
ret = wq_sleep(info, SEND, timeout, &wait); ret = wq_sleep(info, SEND, timeout, &wait);
}
if (ret < 0) if (ret < 0)
free_msg(msg_ptr); free_msg(msg_ptr);
}
} else { } else {
receiver = wq_get_first_waiter(info, RECV); receiver = wq_get_first_waiter(info, RECV);
if (receiver) { if (receiver) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment