From: Xin Long <lucien.xin@xxxxxxxxx> Date: Tue, 29 Dec 2015 17:49:25 +0800 > In sctp_close, sctp_make_abort_user may return NULL because of memory > allocation failure. If this happens, it will bypass any state change > and never free the assoc. The assoc has no chance to be freed and it > will be kept in memory with the state it had even after the socket is > closed by sctp_close(). > > So if sctp_make_abort_user fails to allocate memory, we should abort > the asoc via sctp_primitive_ABORT as well. Just like the annotation in > sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said, > "Even if we can't send the ABORT due to low memory delete the TCB. > This is a departure from our typical NOMEM handling". > > But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would > dereference the chunk pointer, and system crash. So we should add > SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other > places where it adds SCTP_CMD_REPLY cmd. > > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> > Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
