[206] in linux-net channel archive
MEMORY OVERWRITE in net/inet/af_inet.c
daemon@ATHENA.MIT.EDU (Matthias Urlichs)
Mon Apr 17 16:16:52 1995
To: submit-linux-dev-net@ratatosk.yggdrasil.com
From: urlichs@smurf.noris.de (Matthias Urlichs)
Date: 17 Apr 1995 20:47:18 +0200
In net/inet/af_inet.c, at the end of inet_release(), there's code along the
lines of
release_sock(sk);
sk->socket = NULL;
Unfortunately, release_sock() can mark the socket as free and if the timer
interrupt happens to occur between these two lines, the memory is freed and
you're hosed. Or the memory is freed and then reallocated and you're even
more hosed. :-( :-(
(Yes this does happen. I've found it with the kmalloc debug code which I've
patched into 1.2.5. A kcheck(sk) between these two lines complained within
the first minute. The system in question is a rather busy Internet gateway.)
I swapped these two lines and the problem seems to have disappeared for
now. Since I don't know what else may be affected by this, I'd like others
to check this before submitting an "official" patch.
--
A gentleman is one who never hurts anyone's feelings unintentionally.
--
Matthias Urlichs \ XLink-POP Nürnberg | EMail: urlichs@smurf.noris.de
Schleiermacherstraße 12 \ Unix+Linux+Mac | Phone: ...please use email.
90491 Nürnberg (Germany) \ Consulting+Networking+Programming+etc'ing 42
PGP: 1B 89 E2 1C 43 EA 80 44 15 D2 29 CF C6 C7 E0 DE
Click <A HREF="http://smurf.noris.de/~urlichs/finger">here</A>.
