git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Luxiao Xu <rakukuip@gmail.com>
	Sat, 11 Apr 2026 15:10:10 +0000 (23:10 +0800)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 14 Apr 2026 10:37:00 +0000 (12:37 +0200)
commit	fe72340daaf1af588be88056faf98965f39e6032
tree	8ee13a6c8e65e32f4a6bcf6009d81cfd35067cb1	tree \| snapshot
parent	600dc40554dc5ad1e6f3af51f700228033f43ea7	commit \| diff

net: strparser: fix skb_head leak in strp_abort_strp()

When the stream parser is aborted, for example after a message assembly timeout,
it can still hold a reference to a partially assembled message in
strp->skb_head.

That skb is not released in strp_abort_strp(), which leaks the partially
assembled message and can be triggered repeatedly to exhaust memory.

Fix this by freeing strp->skb_head and resetting the parser state in the
abort path. Leave strp_stop() unchanged so final cleanup still happens in
strp_done() after the work and timer have been synchronized.

Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>