[Drbd-dev] [Bug] block: drdb: A use after free bug in get_initial_state

[lyl2019 at mail.ustc.edu.cn]

Hi,
 In function get_initial_state, it calls notify_initial_state_done(skb, seq)
and goto out. Inside notify_initial_state_done(), the skb will be freed by
nlmsg_free(skb) in the nla_put_failure label. But after the skb is used by the
return value of get_initial_state with skb->len.


Is this an issue？


Thanks.




下载视频
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linbit.com/pipermail/drbd-dev/attachments/20210325/adf4a710/attachment.htm>