Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Oct 2016 18:27:30 +0000 (UTC)
From:      Hiren Panchasara <hiren@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r307745 - head/sys/kern
Message-ID:  <201610211827.u9LIRUUi010303@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: hiren
Date: Fri Oct 21 18:27:30 2016
New Revision: 307745
URL: https://svnweb.freebsd.org/changeset/base/307745

Log:
  Rework r306337.
  
  In sendit(), if mp->msg_control is present, then in sockargs() we are
  allocating mbuf to store mp->msg_control. Later in kern_sendit(), call
  to getsock_cap(), will check validity of file pointer passed, if this
  fails EBADF is returned but mbuf allocated in sockargs() is not freed.
  Made code changes to free the same.
  
  Since freeing control mbuf in sendit() after checking (control != NULL)
  may lead to double freeing of control mbuf in sendit(), we can free
  control mbuf in kern_sendit() if there are any errors in the routine.
  
  Submitted by:		    Lohith Bellad <lohith.bellad@me.com>
  Reviewed by:		    glebius
  MFC after:		    3 weeks
  Differential Revision:	    https://reviews.freebsd.org/D8152

Modified:
  head/sys/kern/uipc_syscalls.c

Modified: head/sys/kern/uipc_syscalls.c
==============================================================================
--- head/sys/kern/uipc_syscalls.c	Fri Oct 21 17:44:47 2016	(r307744)
+++ head/sys/kern/uipc_syscalls.c	Fri Oct 21 18:27:30 2016	(r307745)
@@ -762,8 +762,10 @@ kern_sendit(struct thread *td, int s, st
 		cap_rights_set(&rights, CAP_CONNECT);
 	}
 	error = getsock_cap(td, s, &rights, &fp, NULL, NULL);
-	if (error != 0)
+	if (error != 0) {
+		m_freem(control);
 		return (error);
+	}
 	so = (struct socket *)fp->f_data;
 
 #ifdef KTRACE
@@ -774,12 +776,16 @@ kern_sendit(struct thread *td, int s, st
 	if (mp->msg_name != NULL) {
 		error = mac_socket_check_connect(td->td_ucred, so,
 		    mp->msg_name);
-		if (error != 0)
+		if (error != 0) {
+			m_freem(control);
 			goto bad;
+		}
 	}
 	error = mac_socket_check_send(td->td_ucred, so);
-	if (error != 0)
+	if (error != 0) {
+		m_freem(control);
 		goto bad;
+	}
 #endif
 
 	auio.uio_iov = mp->msg_iov;
@@ -793,6 +799,7 @@ kern_sendit(struct thread *td, int s, st
 	for (i = 0; i < mp->msg_iovlen; i++, iov++) {
 		if ((auio.uio_resid += iov->iov_len) < 0) {
 			error = EINVAL;
+			m_freem(control);
 			goto bad;
 		}
 	}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610211827.u9LIRUUi010303>