From 164a98ea6b24fea3433516dcc0df496929674cdd Mon Sep 17 00:00:00 2001

From: Jan Synacek <jsynacek@redhat.com>

Date: Tue, 7 Jun 2016 12:43:38 +0200

Subject: [PATCH] sd-netlink: fix deep recursion in message destruction

On larger systems we might very well see messages with thousands of parts.

When we free them, we must avoid recursing into each part, otherwise we

very likely get stack overflows.

Fix sd_netlink_message_unref() to use an iterative approach rather than

recursion (also avoid tail-recursion in case it is not optimized by the

compiler).

(cherry picked from commit 82e4eda664d40ef60829e27d84b1610c2f4070cd)

Resolves: #1330593

---

 src/libsystemd/sd-rtnl/rtnl-message.c | 10 ++++++----

 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/libsystemd/sd-rtnl/rtnl-message.c b/src/libsystemd/sd-rtnl/rtnl-message.c

index 276591f31b..9276bbdebc 100644

--- a/src/libsystemd/sd-rtnl/rtnl-message.c

+++ b/src/libsystemd/sd-rtnl/rtnl-message.c

@@ -584,7 +584,9 @@ sd_rtnl_message *sd_rtnl_message_ref(sd_rtnl_message *m) {

 }

 sd_rtnl_message *sd_rtnl_message_unref(sd_rtnl_message *m) {

-        if (m && REFCNT_DEC(m->n_ref) == 0) {

+        sd_rtnl_message *t;

+

+        while (m && REFCNT_DEC(m->n_ref) == 0) {

                 unsigned i;

                 free(m->hdr);

@@ -592,9 +594,9 @@ sd_rtnl_message *sd_rtnl_message_unref(sd_rtnl_message *m) {

                 for (i = 0; i <= m->n_containers; i++)

                         free(m->rta_offset_tb[i]);

-                sd_rtnl_message_unref(m->next);

-

-                free(m);

+                t = m;

+                m = m->next;

+                free(t);

         }

         return NULL;