[Quantal CVE 2/2] UBUNTU: SAUCE: xen/netback: free already allocated memory on failure in xen_netbk_get_requests
Luis Henriques
luis.henriques at canonical.com
Fri Feb 8 15:19:01 UTC 2013
From: Ian Campbell <ian.campbell at citrix.com>
BugLink: http://bugs.launchpad.net/bugs/1117331
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
CVE-2013-0217
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Acked-by: Luis Henriques <luis.henriques at canonical.com>
---
drivers/net/xen-netback/netback.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index d0a52b9..9a5189e 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -949,7 +949,7 @@ static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
pending_idx = netbk->pending_ring[index];
page = xen_netbk_alloc_page(netbk, skb, pending_idx);
if (!page)
- return NULL;
+ goto err;
gop->source.u.ref = txp->gref;
gop->source.domid = vif->domid;
@@ -971,6 +971,20 @@ static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
}
return gop;
+err:
+ /*
+ * Unwind, freeing all pages and sending error
+ * reponses.
+ */
+ while (i-- > start) {
+ xen_netbk_idx_release(netbk, frag_get_pending_idx(&frags[i]),
+ XEN_NETIF_RSP_ERROR);
+ }
+ /* The head too, if necessary. */
+ if (start)
+ xen_netbk_idx_release(netbk, pending_idx, XEN_NETIF_RSP_ERROR);
+
+ return NULL;
}
static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,
--
1.7.9.5
More information about the kernel-team
mailing list