ipv6: fix a possible double free
authorRoy Li <rongqing.li@windriver.com>
Tue, 20 Sep 2011 19:10:16 +0000 (15:10 -0400)
committerDavid S. Miller <davem@davemloft.net>
Tue, 20 Sep 2011 19:10:16 +0000 (15:10 -0400)
When calling snmp6_alloc_dev fails, the snmp6 relevant memory
are freed by snmp6_alloc_dev. Calling in6_dev_finish_destroy
will free these memory twice.

Double free will lead that undefined behavior occurs.

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/addrconf.c

index f012ebd87b4338181f76d3154165eb1f41cd0ba4..12368c586068a426d7235cf34c602195d2370601 100644 (file)
@@ -374,8 +374,8 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
                        "%s(): cannot allocate memory for statistics; dev=%s.\n",
                        __func__, dev->name));
                neigh_parms_release(&nd_tbl, ndev->nd_parms);
-               ndev->dead = 1;
-               in6_dev_finish_destroy(ndev);
+               dev_put(dev);
+               kfree(ndev);
                return NULL;
        }