soreceive_stream: mbuf leak if called with mp0 and MSG_WAITALL

[Mikolaj Golub]

Hi,

Apparently soreceive_stream() has an issue if it is called to receive data as a
mbuf chain (by supplying an non zero mbuf **mp0) and with MSG_WAITALL set.

I ran into this issue with smbfs, which uses soreceive() exactly in this way
(see netsmb/smb_trantcp.c:nbssn_recv()).

If MSG_WAITALL is set and not all data is received it loops again but on the
next run mb0 is set to sb->sb_mb again loosing all previously received mbufs.
It looks like it should be set to the end of mb0 chain instead. See the
attached path.

Also, in the "copy the remainder" block we reduce uio_resid by m->m_len (the
length of the last mbuf in the chain), but it looks like for the MSG_PEEK case
the remainder may have more than one mbuf in the chain and we have to reduce
by len (the length of the copied chain).

I don't have a test case to check MSG_PEEK issue, but the patch fixes the
issue with smbfs for me.

-- 
Mikolaj Golub

-------------- next part --------------
A non-text attachment was scrubbed...
Name: uipc_socket.c.soreceive_stream.patch
Type: text/x-patch
Size: 1031 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110904/321e13e6/uipc_socket.c.soreceive_stream.bin