svn commit: r309859 - stable/11/sys/kern
Hiren Panchasara
hiren at FreeBSD.org
Sun Dec 11 23:36:12 UTC 2016
Author: hiren
Date: Sun Dec 11 23:36:11 2016
New Revision: 309859
URL: https://svnweb.freebsd.org/changeset/base/309859
Log:
MFC r307745
In sendit(), if mp->msg_control is present, then in sockargs() we are
allocating mbuf to store mp->msg_control. Later in kern_sendit(), call
to getsock_cap(), will check validity of file pointer passed, if this
fails EBADF is returned but mbuf allocated in sockargs() is not freed.
Made code changes to free the same.
Since freeing control mbuf in sendit() after checking (control != NULL)
may lead to double freeing of control mbuf in sendit(), we can free
control mbuf in kern_sendit() if there are any errors in the routine.
Submitted by: Lohith Bellad <lohith.bellad at me.com>
Modified:
stable/11/sys/kern/uipc_syscalls.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/kern/uipc_syscalls.c
==============================================================================
--- stable/11/sys/kern/uipc_syscalls.c Sun Dec 11 23:14:47 2016 (r309858)
+++ stable/11/sys/kern/uipc_syscalls.c Sun Dec 11 23:36:11 2016 (r309859)
@@ -806,8 +806,10 @@ kern_sendit(td, s, mp, flags, control, s
cap_rights_set(&rights, CAP_CONNECT);
}
error = getsock_cap(td, s, &rights, &fp, NULL);
- if (error != 0)
+ if (error != 0) {
+ m_freem(control);
return (error);
+ }
so = (struct socket *)fp->f_data;
#ifdef KTRACE
@@ -818,12 +820,16 @@ kern_sendit(td, s, mp, flags, control, s
if (mp->msg_name != NULL) {
error = mac_socket_check_connect(td->td_ucred, so,
mp->msg_name);
- if (error != 0)
+ if (error != 0) {
+ m_freem(control);
goto bad;
+ }
}
error = mac_socket_check_send(td->td_ucred, so);
- if (error != 0)
+ if (error != 0) {
+ m_freem(control);
goto bad;
+ }
#endif
auio.uio_iov = mp->msg_iov;
@@ -837,6 +843,7 @@ kern_sendit(td, s, mp, flags, control, s
for (i = 0; i < mp->msg_iovlen; i++, iov++) {
if ((auio.uio_resid += iov->iov_len) < 0) {
error = EINVAL;
+ m_freem(control);
goto bad;
}
}
More information about the svn-src-all
mailing list