connection: fix user quota accounting corruption

First use kzalloc to allocate the users array, so we do not reference
unintialized values.

And free the old conn->msg_users array not the newly allocated 'users'
one.

Patch tested, and users will hit the KDBUS_CONN_MAX_MSGS_PER_USER limit
and fail with -ENOBUFS

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>

diff --git a/connection.c b/connection.c
index e0bcee19ae6c6efdc4aa566f6809e2392ac982be..b42606c30659617f4106d8c451a2554993c7bbab 100644 (file)
--- a/connection.c
+++ b/connection.c
@@ -636,13 +636,13 @@ static int kdbus_conn_queue_user_quota(struct kdbus_conn *conn,
                unsigned int i;
 
                i = 8 + KDBUS_ALIGN8(user);
-               users = kmalloc(sizeof(unsigned int) * i, GFP_KERNEL);
+               users = kzalloc(sizeof(unsigned int) * i, GFP_KERNEL);
                if (!users)
                        return -ENOMEM;
 
                memcpy(users, conn->msg_users,
                       sizeof(unsigned int) * conn->msg_users_max);
-               kfree(users);
+               kfree(conn->msg_users);
                conn->msg_users = users;
                conn->msg_users_max = i;
        }