Commit fe72340d authored Apr 11, 2026 by Luxiao Xu Committed by Paolo Abeni Apr 14, 2026

net: strparser: fix skb_head leak in strp_abort_strp()



When the stream parser is aborted, for example after a message assembly timeout,
it can still hold a reference to a partially assembled message in
strp->skb_head.

That skb is not released in strp_abort_strp(), which leaks the partially
assembled message and can be triggered repeatedly to exhaust memory.

Fix this by freeing strp->skb_head and resetting the parser state in the
abort path. Leave strp_stop() unchanged so final cleanup still happens in
strp_done() after the work and timer have been synchronized.

Fixes: 43a0c675 ("strparser: Stream parser for messages")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 600dc405

net/strparser/strparser.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strparser *strp, int err)

		strp->stopped = 1;

		if (strp->skb_head) {
		kfree_skb(strp->skb_head);
		strp->skb_head = NULL;
		}

		strp->skb_nextp = NULL;
		strp->need_bytes = 0;

		if (strp->sk) {
		struct sock *sk = strp->sk;