[openib-general] Re: [PATCH] ipoib_mcast_restart_task
Michael S. Tsirkin
mst at mellanox.co.il
Wed Apr 5 10:13:14 PDT 2006
Quoting r. Roland Dreier <rdreier at cisco.com>:
> Subject: Re: [PATCH] ipoib_mcast_restart_task
>
> Michael> The mcast pointer comes from stack. Surely we could have
> Michael> use after free in ipoib_mcast_join_complete trigger data
> Michael> corruption on stack and then trip on it?
>
> Now you're confusing me. Isn't the mcast pointer kmalloc()ed?
Sorry about that.
I think the memory *it points to* is kmalloc()ed - the
the pointer itself I think comes from stack.
static void
ipoib_mcast_sendonly_join_complete(int status,
struct ib_sa_mcmember_rec *mcmember,
void *mcast_ptr)
{
struct ipoib_mcast *mcast = mcast_ptr;
struct net_device *dev = mcast->dev;
So all I had in mind was obvious things like:
Assume that you have mcast point to random kernel data.
doing things like skb_dequeue(&mcast->pkt_queue) will now do random things
to random memory locations, it could be stack or anything else.
--
MST
More information about the general
mailing list