From linux-kernel-owner+willy=40w.ods.org@vger.kernel.org Wed Mar 12 20:04:00 2003 Return-Path: Received: from vax.home.local (vax [10.2.1.2]) by alpha.home.local (8.12.4/8.12.1) with ESMTP id h2CJ3xN1017447 for ; Wed, 12 Mar 2003 20:04:00 +0100 Received: from vger.kernel.org (vger.kernel.org [209.116.70.75]) by vax.home.local (8.12.2/8.12.1) with ESMTP id h2CJ3r1Q009824 for ; Wed, 12 Mar 2003 20:03:58 +0100 (CET) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 12 Mar 2003 13:48:23 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 12 Mar 2003 13:48:23 -0500 Received: from home.linuxhacker.ru ([194.67.236.68]:6561 "EHLO linuxhacker.ru") by vger.kernel.org with ESMTP id ; Wed, 12 Mar 2003 13:48:22 -0500 Received: from car.linuxhacker.ru (localhost.localdomain [127.0.0.1]) by linuxhacker.ru (8.12.7/8.12.5) with ESMTP id h2CIw6aZ027515; Wed, 12 Mar 2003 21:58:06 +0300 Received: (from green@localhost) by car.linuxhacker.ru (8.12.7/8.12.7/Submit) id h2CIw6FQ027513; Wed, 12 Mar 2003 21:58:06 +0300 Date: Wed, 12 Mar 2003 21:58:06 +0300 From: Oleg Drokin To: scott.feldman@intel.com, alan@redhat.com, torvalds@transmeta.com, linux-kernel@vger.kernel.org Subject: Memleak in e100 driver Message-ID: <20030312185806.GA27489@linuxhacker.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1157 Lines: 37 Status: RO Hello! There is a memleak in e100 driver from intel, both in 2.4 and 2.5 e100_ethtool_gstrings does not free "strings" variable if it cannot copy it to userspace. See the patch (identical for both 2.4 and 2.5). Found with help of smatch + enhanced unfree script. Bye, Oleg ===== drivers/net/e100/e100_main.c 1.23 vs edited ===== --- 1.23/drivers/net/e100/e100_main.c Sat Feb 1 22:38:18 2003 +++ edited/drivers/net/e100/e100_main.c Wed Mar 12 21:50:32 2003 @@ -3824,11 +3824,15 @@ return -EOPNOTSUPP; } - if (copy_to_user(ifr->ifr_data, &info, sizeof (info))) + if (copy_to_user(ifr->ifr_data, &info, sizeof (info))) { + kfree(strings); return -EFAULT; + } - if (copy_to_user(usr_strings, strings, info.len * ETH_GSTRING_LEN)) + if (copy_to_user(usr_strings, strings, info.len * ETH_GSTRING_LEN)) { + kfree(strings); return -EFAULT; + } kfree(strings); return 0; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/