Date: Mon, 26 Sep 2016 10:13:58 +0000 (UTC) From: Hiren Panchasara <hiren@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306337 - head/sys/kern Message-ID: <201609261013.u8QADwrV002892@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hiren Date: Mon Sep 26 10:13:58 2016 New Revision: 306337 URL: https://svnweb.freebsd.org/changeset/base/306337 Log: In sendit(), if mp->msg_control is present, then in sockargs() we are allocating mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(), will check validity of file pointer passed, if this fails EBADF is returned but mbuf allocated in sockargs() is not freed. Fix this possible leak. Submitted by: Lohith Bellad <lohith.bellad@me.com> Reviewed by: adrian MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D7910 Modified: head/sys/kern/uipc_syscalls.c Modified: head/sys/kern/uipc_syscalls.c ============================================================================== --- head/sys/kern/uipc_syscalls.c Mon Sep 26 08:21:29 2016 (r306336) +++ head/sys/kern/uipc_syscalls.c Mon Sep 26 10:13:58 2016 (r306337) @@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct static int sendit(struct thread *td, int s, struct msghdr *mp, int flags) { - struct mbuf *control; + struct mbuf *control = NULL; struct sockaddr *to; int error; @@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct bad: free(to, M_SONAME); + if (control) + m_freem(control); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609261013.u8QADwrV002892>