svn commit: r309859 - stable/11/sys/kern

Hiren Panchasara hiren at FreeBSD.org
Sun Dec 11 23:36:12 UTC 2016


Author: hiren
Date: Sun Dec 11 23:36:11 2016
New Revision: 309859
URL: https://svnweb.freebsd.org/changeset/base/309859

Log:
  MFC r307745
  
  In sendit(), if mp->msg_control is present, then in sockargs() we are
  allocating mbuf to store mp->msg_control. Later in kern_sendit(), call
  to getsock_cap(), will check validity of file pointer passed, if this
  fails EBADF is returned but mbuf allocated in sockargs() is not freed.
  Made code changes to free the same.
  
  Since freeing control mbuf in sendit() after checking (control != NULL)
  may lead to double freeing of control mbuf in sendit(), we can free
  control mbuf in kern_sendit() if there are any errors in the routine.
  
  Submitted by:		Lohith Bellad <lohith.bellad at me.com>

Modified:
  stable/11/sys/kern/uipc_syscalls.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/kern/uipc_syscalls.c
==============================================================================
--- stable/11/sys/kern/uipc_syscalls.c	Sun Dec 11 23:14:47 2016	(r309858)
+++ stable/11/sys/kern/uipc_syscalls.c	Sun Dec 11 23:36:11 2016	(r309859)
@@ -806,8 +806,10 @@ kern_sendit(td, s, mp, flags, control, s
 		cap_rights_set(&rights, CAP_CONNECT);
 	}
 	error = getsock_cap(td, s, &rights, &fp, NULL);
-	if (error != 0)
+	if (error != 0) {
+		m_freem(control);
 		return (error);
+	}
 	so = (struct socket *)fp->f_data;
 
 #ifdef KTRACE
@@ -818,12 +820,16 @@ kern_sendit(td, s, mp, flags, control, s
 	if (mp->msg_name != NULL) {
 		error = mac_socket_check_connect(td->td_ucred, so,
 		    mp->msg_name);
-		if (error != 0)
+		if (error != 0) {
+			m_freem(control);
 			goto bad;
+		}
 	}
 	error = mac_socket_check_send(td->td_ucred, so);
-	if (error != 0)
+	if (error != 0) {
+		m_freem(control);
 		goto bad;
+	}
 #endif
 
 	auio.uio_iov = mp->msg_iov;
@@ -837,6 +843,7 @@ kern_sendit(td, s, mp, flags, control, s
 	for (i = 0; i < mp->msg_iovlen; i++, iov++) {
 		if ((auio.uio_resid += iov->iov_len) < 0) {
 			error = EINVAL;
+			m_freem(control);
 			goto bad;
 		}
 	}


More information about the svn-src-all mailing list