Module Name: src Committed By: maxv Date: Wed Jul 22 14:25:39 UTC 2015
Modified Files: src/sys/compat/netbsd32: netbsd32_socket.c Log Message: Memory leak, triggerable from an unprivileged user. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/compat/netbsd32/netbsd32_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/netbsd32/netbsd32_socket.c diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.41 src/sys/compat/netbsd32/netbsd32_socket.c:1.42 --- src/sys/compat/netbsd32/netbsd32_socket.c:1.41 Sat Aug 18 15:25:15 2012 +++ src/sys/compat/netbsd32/netbsd32_socket.c Wed Jul 22 14:25:39 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $ */ +/* $NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -331,7 +331,7 @@ netbsd32_sendmsg(struct lwp *l, const st } */ struct msghdr msg; struct netbsd32_msghdr msg32; - struct iovec aiov[UIO_SMALLIOV], *iov; + struct iovec aiov[UIO_SMALLIOV], *iov = aiov; struct netbsd32_iovec *iov32; size_t iovsz; int error; @@ -346,6 +346,7 @@ netbsd32_sendmsg(struct lwp *l, const st error = copyin32_msg_control(l, &msg); if (error) return (error); + /* From here on, msg.msg_control is allocated */ } else { msg.msg_control = NULL; msg.msg_controllen = 0; @@ -353,23 +354,32 @@ netbsd32_sendmsg(struct lwp *l, const st iovsz = msg.msg_iovlen * sizeof(struct iovec); if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) { - if ((u_int)msg.msg_iovlen > IOV_MAX) - return (EMSGSIZE); + if ((u_int)msg.msg_iovlen > IOV_MAX) { + error = EMSGSIZE; + goto out; + } iov = kmem_alloc(iovsz, KM_SLEEP); - } else - iov = aiov; + } iov32 = NETBSD32PTR64(msg32.msg_iov); error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen); if (error) - goto done; + goto out; msg.msg_iov = iov; error = do_sys_sendmsg(l, SCARG(uap, s), &msg, SCARG(uap, flags), retval); -done: + /* msg.msg_control freed by do_sys_sendmsg() */ + if (iov != aiov) kmem_free(iov, iovsz); return (error); + +out: + if (iov != aiov) + kmem_free(iov, iovsz); + if (msg.msg_control) + m_free(msg.msg_control); + return error; } int