svn commit: r354081 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Oct 25 16:29:10 UTC 2019
Author: bz
Date: Fri Oct 25 16:29:09 2019
New Revision: 354081
URL: https://svnweb.freebsd.org/changeset/base/354081
Log:
frag6: do not leak counter in error cases
When allocating the IPv6 fragement packet queue entry we do checks
against counters and if we pass we increment one of the counters
to claim the spot. Right after that we have two cases (malloc and MAC)
which can both fail in which case we free the entry but never released
our claim on the counter. In theory this can lead to not accepting new
fragments after a long time, especially if it would be MAC "refusing"
them.
Rather than immediately subtracting the value in the error case, only
increment it after these two cases so we can no longer leak it.
MFC after: 3 weeks
Sponsored by: Netflix
Modified:
head/sys/netinet6/frag6.c
Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c Fri Oct 25 16:28:39 2019 (r354080)
+++ head/sys/netinet6/frag6.c Fri Oct 25 16:29:09 2019 (r354081)
@@ -528,7 +528,6 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
atomic_load_int(&V_frag6_nfragpackets) >=
(u_int)V_ip6_maxfragpackets)
goto dropfrag;
- atomic_add_int(&V_frag6_nfragpackets, 1);
/* Allocate IPv6 fragement packet queue entry. */
q6 = (struct ip6q *)malloc(sizeof(struct ip6q), M_FRAG6,
@@ -542,6 +541,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
}
mac_ip6q_create(m, q6);
#endif
+ atomic_add_int(&V_frag6_nfragpackets, 1);
/* ip6q_nxt will be filled afterwards, from 1st fragment. */
TAILQ_INIT(&q6->ip6q_frags);
More information about the svn-src-head
mailing list