Date: Fri, 21 Oct 2016 18:27:30 +0000 (UTC) From: Hiren Panchasara <hiren@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r307745 - head/sys/kern Message-ID: <201610211827.u9LIRUUi010303@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hiren Date: Fri Oct 21 18:27:30 2016 New Revision: 307745 URL: https://svnweb.freebsd.org/changeset/base/307745 Log: Rework r306337. In sendit(), if mp->msg_control is present, then in sockargs() we are allocating mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(), will check validity of file pointer passed, if this fails EBADF is returned but mbuf allocated in sockargs() is not freed. Made code changes to free the same. Since freeing control mbuf in sendit() after checking (control != NULL) may lead to double freeing of control mbuf in sendit(), we can free control mbuf in kern_sendit() if there are any errors in the routine. Submitted by: Lohith Bellad <lohith.bellad@me.com> Reviewed by: glebius MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D8152 Modified: head/sys/kern/uipc_syscalls.c Modified: head/sys/kern/uipc_syscalls.c ============================================================================== --- head/sys/kern/uipc_syscalls.c Fri Oct 21 17:44:47 2016 (r307744) +++ head/sys/kern/uipc_syscalls.c Fri Oct 21 18:27:30 2016 (r307745) @@ -762,8 +762,10 @@ kern_sendit(struct thread *td, int s, st cap_rights_set(&rights, CAP_CONNECT); } error = getsock_cap(td, s, &rights, &fp, NULL, NULL); - if (error != 0) + if (error != 0) { + m_freem(control); return (error); + } so = (struct socket *)fp->f_data; #ifdef KTRACE @@ -774,12 +776,16 @@ kern_sendit(struct thread *td, int s, st if (mp->msg_name != NULL) { error = mac_socket_check_connect(td->td_ucred, so, mp->msg_name); - if (error != 0) + if (error != 0) { + m_freem(control); goto bad; + } } error = mac_socket_check_send(td->td_ucred, so); - if (error != 0) + if (error != 0) { + m_freem(control); goto bad; + } #endif auio.uio_iov = mp->msg_iov; @@ -793,6 +799,7 @@ kern_sendit(struct thread *td, int s, st for (i = 0; i < mp->msg_iovlen; i++, iov++) { if ((auio.uio_resid += iov->iov_len) < 0) { error = EINVAL; + m_freem(control); goto bad; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610211827.u9LIRUUi010303>