svn commit: r353145 - head/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Sun Oct 6 08:47:11 UTC 2019
Author: tuexen
Date: Sun Oct 6 08:47:10 2019
New Revision: 353145
URL: https://svnweb.freebsd.org/changeset/base/353145
Log:
Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794
MFC after: 3 days
Modified:
head/sys/netinet/sctp_indata.c
Modified: head/sys/netinet/sctp_indata.c
==============================================================================
--- head/sys/netinet/sctp_indata.c Sun Oct 6 04:36:53 2019 (r353144)
+++ head/sys/netinet/sctp_indata.c Sun Oct 6 08:47:10 2019 (r353145)
@@ -716,6 +716,7 @@ sctp_add_to_tail_pointer(struct sctp_queued_to_read *c
}
if (control->tail_mbuf == NULL) {
/* TSNH */
+ sctp_m_freem(control->data);
control->data = m;
sctp_setup_tail_pointer(control);
return;
@@ -2119,10 +2120,13 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc
struct mbuf *mm;
control->data = dmbuf;
+ control->tail_mbuf = NULL;
for (mm = control->data; mm; mm = mm->m_next) {
control->length += SCTP_BUF_LEN(mm);
+ if (SCTP_BUF_NEXT(mm) == NULL) {
+ control->tail_mbuf = mm;
+ }
}
- control->tail_mbuf = NULL;
control->end_added = 1;
control->last_frag_seen = 1;
control->first_frag_seen = 1;
More information about the svn-src-all
mailing list