Commit d293ca71 authored Apr 21, 2026 by Lee Jones Committed by Jakub Kicinski Apr 23, 2026

tipc: fix double-free in tipc_buf_append()



tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one.  In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.

If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.

Fix this by checking if head now points to a newly allocated reassembled
skb.  If it does, reassign *headbuf for later freeing operations.

Fixes: d618d09a ("tipc: enforce valid ratio between skb truesize and contents")
Suggested-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 864ba40c

net/tipc/msg.c

+13 −1

Original line number	Diff line number	Diff line
		@@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff headbuf, struct sk_buff buf)

		if (fragid == LAST_FRAGMENT) {
		TIPC_SKB_CB(head)->validated = 0;
		if (unlikely(!tipc_msg_validate(&head)))

		/* If the reassembled skb has been freed in
		* tipc_msg_validate() because of an invalid truesize,
		* then head will point to a newly allocated reassembled
		* skb, while *headbuf points to freed reassembled skb.
		* In such cases, correct *headbuf for freeing the newly
		* allocated reassembled skb later.
		*/
		if (unlikely(!tipc_msg_validate(&head))) {
		if (head != *headbuf)
		*headbuf = head;
		goto err;
		}

		*buf = head;
		TIPC_SKB_CB(head)->tail = NULL;
		*headbuf = NULL;