[PATCH] fix memleak in sys_mq_timedsend

Move error handling to capture all three possible error conditions on sending to a full queue. Without this fix any unprivileged user can leak arbitrary amounts of kernel memory.
author: Chris Wright <chrisw@osdl.org> 2004-05-04 04:10:25 -0700
committer: Linus Torvalds <torvalds@ppc970.osdl.org> 2004-05-04 04:10:25 -0700
commit: bb241f20abe0143220ac2c835f45df8e4338cb5d (patch)
tree: 68f2cf7bca958b1e21d58bdc02a0f58112659649
parent: 3078adde5aae7ee93598bccc233fdfab9fbbadb9 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 8c54e3e81d22..d13a9f37e145 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -811,9 +811,9 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
 			wait.msg = (void *) msg_ptr;
 			wait.state = STATE_NONE;
 			ret = wq_sleep(info, SEND, timeout, &wait);
-			if (ret < 0)
-				free_msg(msg_ptr);
 		}
+		if (ret < 0)
+			free_msg(msg_ptr);
 	} else {
 		receiver = wq_get_first_waiter(info, RECV);
 		if (receiver) {
author	Chris Wright <chrisw@osdl.org>	2004-05-04 04:10:25 -0700
committer	Linus Torvalds <torvalds@ppc970.osdl.org>	2004-05-04 04:10:25 -0700
commit	bb241f20abe0143220ac2c835f45df8e4338cb5d (patch)
tree	68f2cf7bca958b1e21d58bdc02a0f58112659649
parent	3078adde5aae7ee93598bccc233fdfab9fbbadb9 (diff)