[IPV6] TCPMD5: Fix deleting key operation.
Due to the bug, refcnt for md5sig pool was leaked when an user try to delete a key if we have more than one key. In addition to the leakage, we returned incorrect return result value for userspace. This fix should close Bug #9418, reported by <ming-baini@163.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
aacbe8c880
commit
77adefdc98
1 changed files with 2 additions and 4 deletions
|
@ -637,10 +637,6 @@ static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
|
||||||
kfree(tp->md5sig_info->keys6);
|
kfree(tp->md5sig_info->keys6);
|
||||||
tp->md5sig_info->keys6 = NULL;
|
tp->md5sig_info->keys6 = NULL;
|
||||||
tp->md5sig_info->alloced6 = 0;
|
tp->md5sig_info->alloced6 = 0;
|
||||||
|
|
||||||
tcp_free_md5sig_pool();
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
} else {
|
} else {
|
||||||
/* shrink the database */
|
/* shrink the database */
|
||||||
if (tp->md5sig_info->entries6 != i)
|
if (tp->md5sig_info->entries6 != i)
|
||||||
|
@ -649,6 +645,8 @@ static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
|
||||||
(tp->md5sig_info->entries6 - i)
|
(tp->md5sig_info->entries6 - i)
|
||||||
* sizeof (tp->md5sig_info->keys6[0]));
|
* sizeof (tp->md5sig_info->keys6[0]));
|
||||||
}
|
}
|
||||||
|
tcp_free_md5sig_pool();
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return -ENOENT;
|
return -ENOENT;
|
||||||
|
|
Loading…
Reference in a new issue