svn commit: r355135 - head/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Wed Nov 27 19:32:30 UTC 2019
Author: tuexen
Date: Wed Nov 27 19:32:29 2019
New Revision: 355135
URL: https://svnweb.freebsd.org/changeset/base/355135
Log:
Plug two mbuf leaks during INIT-ACK handling.
One leak happens when there is not enough memory to allocate the
the resources for streams. The other leak happens if the are
unknown parameters in the received INIT-ACK chunk which require
reporting and the INIT-ACK requires sending an ABORT due to illegal
parameter combinations.
Hopefully this fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19083
MFC after: 1 week
Modified:
head/sys/netinet/sctp_input.c
Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c Wed Nov 27 19:12:32 2019 (r355134)
+++ head/sys/netinet/sctp_input.c Wed Nov 27 19:32:29 2019 (r355135)
@@ -495,6 +495,9 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int
/* process the peer's parameters in the INIT-ACK */
retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb);
if (retval < 0) {
+ if (op_err != NULL) {
+ sctp_m_freem(op_err);
+ }
return (retval);
}
initack_limit = offset + ntohs(cp->ch.chunk_length);
@@ -502,6 +505,9 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int
if ((retval = sctp_load_addresses_from_init(stcb, m,
(offset + sizeof(struct sctp_init_chunk)), initack_limit,
src, dst, NULL, stcb->asoc.port))) {
+ if (op_err != NULL) {
+ sctp_m_freem(op_err);
+ }
op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
"Problem with address parameters");
SCTPDBG(SCTP_DEBUG_INPUT1,
More information about the svn-src-head
mailing list