Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Dec 2016 21:35:04 +0100
From:      Oliver Pinter <oliver.pinter@hardenedbsd.org>
To:        Hiren Panchasara <hiren@freebsd.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org,  svn-src-head@freebsd.org, Lohith Bellad <lohith.bellad@me.com>
Subject:   Re: svn commit: r307745 - head/sys/kern
Message-ID:  <CAPQ4fft5M=5zMtKeTJbmwF5pBg=s7yn9RwMOyEfm-xZYujhkbw@mail.gmail.com>
In-Reply-To: <201610211827.u9LIRUUi010303@repo.freebsd.org>
References:  <201610211827.u9LIRUUi010303@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/21/16, Hiren Panchasara <hiren@freebsd.org> wrote:
> Author: hiren
> Date: Fri Oct 21 18:27:30 2016
> New Revision: 307745
> URL: https://svnweb.freebsd.org/changeset/base/307745
>
> Log:
>   Rework r306337.
>
>   In sendit(), if mp->msg_control is present, then in sockargs() we are
>   allocating mbuf to store mp->msg_control. Later in kern_sendit(), call
>   to getsock_cap(), will check validity of file pointer passed, if this
>   fails EBADF is returned but mbuf allocated in sockargs() is not freed.
>   Made code changes to free the same.
>
>   Since freeing control mbuf in sendit() after checking (control != NULL)
>   may lead to double freeing of control mbuf in sendit(), we can free
>   control mbuf in kern_sendit() if there are any errors in the routine.
>
>   Submitted by:		    Lohith Bellad <lohith.bellad@me.com>
>   Reviewed by:		    glebius
>   MFC after:		    3 weeks
>   Differential Revision:	    https://reviews.freebsd.org/D8152

Hi Hiren!

What's the status of the MFC? I not see them (this and r306337) in
11-STABLE nor in 10-STABLE branch.

Thanks,
Oliver

>
> Modified:
>   head/sys/kern/uipc_syscalls.c
>
> Modified: head/sys/kern/uipc_syscalls.c
> ==============================================================================
> --- head/sys/kern/uipc_syscalls.c	Fri Oct 21 17:44:47 2016	(r307744)
> +++ head/sys/kern/uipc_syscalls.c	Fri Oct 21 18:27:30 2016	(r307745)
> @@ -762,8 +762,10 @@ kern_sendit(struct thread *td, int s, st
>  		cap_rights_set(&rights, CAP_CONNECT);
>  	}
>  	error = getsock_cap(td, s, &rights, &fp, NULL, NULL);
> -	if (error != 0)
> +	if (error != 0) {
> +		m_freem(control);
>  		return (error);
> +	}
>  	so = (struct socket *)fp->f_data;
>
>  #ifdef KTRACE
> @@ -774,12 +776,16 @@ kern_sendit(struct thread *td, int s, st
>  	if (mp->msg_name != NULL) {
>  		error = mac_socket_check_connect(td->td_ucred, so,
>  		    mp->msg_name);
> -		if (error != 0)
> +		if (error != 0) {
> +			m_freem(control);
>  			goto bad;
> +		}
>  	}
>  	error = mac_socket_check_send(td->td_ucred, so);
> -	if (error != 0)
> +	if (error != 0) {
> +		m_freem(control);
>  		goto bad;
> +	}
>  #endif
>
>  	auio.uio_iov = mp->msg_iov;
> @@ -793,6 +799,7 @@ kern_sendit(struct thread *td, int s, st
>  	for (i = 0; i < mp->msg_iovlen; i++, iov++) {
>  		if ((auio.uio_resid += iov->iov_len) < 0) {
>  			error = EINVAL;
> +			m_freem(control);
>  			goto bad;
>  		}
>  	}
> _______________________________________________
> svn-src-head@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPQ4fft5M=5zMtKeTJbmwF5pBg=s7yn9RwMOyEfm-xZYujhkbw>