Commit ffa29347 authored Oct 16, 2005 by Herbert Xu Committed by Arnaldo Carvalho de Melo Oct 20, 2005

[DCCP]: Make dccp_write_xmit always free the packet



icmp_send doesn't use skb->sk at all so even if skb->sk has already
been freed it can't cause crash there (it would've crashed somewhere
else first, e.g., ip_queue_xmit).

I found a double-free on an skb that could explain this though.
dccp_sendmsg and dccp_write_xmit are a little confused as to what
should free the packet when something goes wrong.  Sometimes they
both go for the ball and end up in each other's way.

This patch makes dccp_write_xmit always free the packet no matter
what.  This makes sense since dccp_transmit_skb which in turn comes
from the fact that ip_queue_xmit always frees the packet.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>

parent fda0fd6c

net/dccp/output.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -241,7 +241,8 @@ int dccp_write_xmit(struct sock sk, struct sk_buff skb, long *timeo)

		err = dccp_transmit_skb(sk, skb);
		ccid_hc_tx_packet_sent(dp->dccps_hc_tx_ccid, sk, 0, len);
		}
		} else
		kfree_skb(skb);

		return err;
		}

net/dccp/proto.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -402,8 +402,6 @@ int dccp_sendmsg(struct kiocb iocb, struct sock sk, struct msghdr *msg,
		* This bug was _quickly_ found & fixed by just looking at an OSTRA
		* generated callgraph 8) -acme
		*/
		if (rc != 0)
		goto out_discard;
		out_release:
		release_sock(sk);
		return rc ? : len;