git: 44dd8b58394b - releng/14.4 - tcp: plug an mbuf leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Mar 2026 01:14:54 UTC
The branch releng/14.4 has been updated by philip:
URL: https://cgit.FreeBSD.org/src/commit/?id=44dd8b58394b8a3bcfa68f9aba1a4a0780c85145
commit 44dd8b58394b8a3bcfa68f9aba1a4a0780c85145
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2026-03-25 05:53:56 +0000
Commit: Philip Paeps <philip@FreeBSD.org>
CommitDate: 2026-03-25 06:53:41 +0000
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
---
sys/netinet/tcp_subr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 81b378f496c9..32c30dc4d067 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -2276,6 +2276,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
tp->snd_nxt, TH_ACK);
tp->last_ack_sent = tp->rcv_nxt;
+ } else {
+ m_freem(m);
}
}