From owner-svn-src-stable@FreeBSD.ORG Mon Mar 2 08:00:01 2015 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F3F89633; Mon, 2 Mar 2015 08:00:00 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C568EC12; Mon, 2 Mar 2015 08:00:00 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t22800BI098249; Mon, 2 Mar 2015 08:00:00 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2280008098248; Mon, 2 Mar 2015 08:00:00 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201503020800.t2280008098248@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 2 Mar 2015 08:00:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r279517 - stable/9/sys/kern X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2015 08:00:01 -0000 Author: ae Date: Mon Mar 2 08:00:00 2015 New Revision: 279517 URL: https://svnweb.freebsd.org/changeset/base/279517 Log: MFC r279206: In some cases soreceive_dgram() can return no data, but has control message. This can happen when application is sending packets too big for the path MTU and recvmsg() will return zero (indicating no data) but there will be a cmsghdr with cmsg_type set to IPV6_PATHMTU. Remove KASSERT() which does NULL pointer dereference in such case. Also call m_freem() only when m isn't NULL. MFC r279209: soreceive_generic() still has similar KASSERT(), therefore instead of remove KASSERT(), change it to check mbuf isn't NULL. PR: 197882 Sponsored by: Yandex LLC Modified: stable/9/sys/kern/uipc_socket.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/kern/uipc_socket.c ============================================================================== --- stable/9/sys/kern/uipc_socket.c Mon Mar 2 07:51:14 2015 (r279516) +++ stable/9/sys/kern/uipc_socket.c Mon Mar 2 08:00:00 2015 (r279517) @@ -2311,7 +2311,8 @@ soreceive_dgram(struct socket *so, struc * Process one or more MT_CONTROL mbufs present before any data mbufs * in the first mbuf chain on the socket buffer. We call into the * protocol to perform externalization (or freeing if controlp == - * NULL). + * NULL). In some cases there can be only MT_CONTROL mbufs without + * MT_DATA mbufs. */ if (m->m_type == MT_CONTROL) { struct mbuf *cm = NULL, *cmn; @@ -2341,8 +2342,8 @@ soreceive_dgram(struct socket *so, struc cm = cmn; } } - KASSERT(m->m_type == MT_DATA, ("soreceive_dgram: !data")); - + KASSERT(m == NULL || m->m_type == MT_DATA, + ("soreceive_dgram: !data")); while (m != NULL && uio->uio_resid > 0) { len = uio->uio_resid; if (len > m->m_len) @@ -2359,9 +2360,10 @@ soreceive_dgram(struct socket *so, struc m->m_len -= len; } } - if (m != NULL) + if (m != NULL) { flags |= MSG_TRUNC; - m_freem(m); + m_freem(m); + } if (flagsp != NULL) *flagsp |= flags; return (0);