svn commit: r306337 - head/sys/kern
Hiren Panchasara
hiren at FreeBSD.org
Mon Sep 26 10:13:59 UTC 2016
Author: hiren
Date: Mon Sep 26 10:13:58 2016
New Revision: 306337
URL: https://svnweb.freebsd.org/changeset/base/306337
Log:
In sendit(), if mp->msg_control is present, then in sockargs() we are allocating
mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(),
will check validity of file pointer passed, if this fails EBADF is returned but
mbuf allocated in sockargs() is not freed. Fix this possible leak.
Submitted by: Lohith Bellad <lohith.bellad at me.com>
Reviewed by: adrian
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D7910
Modified:
head/sys/kern/uipc_syscalls.c
Modified: head/sys/kern/uipc_syscalls.c
==============================================================================
--- head/sys/kern/uipc_syscalls.c Mon Sep 26 08:21:29 2016 (r306336)
+++ head/sys/kern/uipc_syscalls.c Mon Sep 26 10:13:58 2016 (r306337)
@@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct
static int
sendit(struct thread *td, int s, struct msghdr *mp, int flags)
{
- struct mbuf *control;
+ struct mbuf *control = NULL;
struct sockaddr *to;
int error;
@@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct
bad:
free(to, M_SONAME);
+ if (control)
+ m_freem(control);
return (error);
}
More information about the svn-src-head
mailing list