Potential SKB Leak in usb-rx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Inaky/All,

i2400mu_rxd calls i2400m_rx with the received SKB.  i2400m_rx does not free the SKB on error; i2400mu_rxd would still own the SKB.  i2400mu_rxd does not free the SKB if i2400m_rx returns an error; the SKB is leaked.  Is this analysis correct?

I believe the following would prevent the leak.  If everyone agrees, I'll submit a formal patch.

Regards,
...doug


diff --git a/drivers/net/wimax/i2400m/usb-rx.c b/drivers/net/wimax/i2400m/usb-rx
index a26483a..c84e671 100644
--- a/drivers/net/wimax/i2400m/usb-rx.c
+++ b/drivers/net/wimax/i2400m/usb-rx.c
@@ -383,6 +383,8 @@ int i2400mu_rxd(void *_i2400mu)
                i2400mu->rx_size_cnt++;
                i2400mu->rx_size_acc += rx_skb->len;
                result = i2400m_rx(i2400m, rx_skb);
+               if (result)
+                       kfree_skb(rx_skb);
                if (result == -EIO
                    && edc_inc(&i2400mu->urb_edc,
                               EDC_MAX_ERRORS, EDC_ERROR_TIMEFRAME)) {
[Index of Archives]     [Linux Kernel]     [Linux Wireless]     [Linux Bluetooth]     [Linux Netdev]     [Linux Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux