CVS commit: src/sys/compat/netbsd32

Wed, 22 Jul 2015 07:33:42 -0700 

Module Name:    src
Committed By:   maxv
Date:           Wed Jul 22 14:25:39 UTC 2015

Modified Files:
        src/sys/compat/netbsd32: netbsd32_socket.c

Log Message:
Memory leak, triggerable from an unprivileged user.


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/sys/compat/netbsd32/netbsd32_socket.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/netbsd32/netbsd32_socket.c
diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.41 src/sys/compat/netbsd32/netbsd32_socket.c:1.42
--- src/sys/compat/netbsd32/netbsd32_socket.c:1.41	Sat Aug 18 15:25:15 2012
+++ src/sys/compat/netbsd32/netbsd32_socket.c	Wed Jul 22 14:25:39 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $	*/
+/*	$NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -331,7 +331,7 @@ netbsd32_sendmsg(struct lwp *l, const st
 	} */
 	struct msghdr msg;
 	struct netbsd32_msghdr msg32;
-	struct iovec aiov[UIO_SMALLIOV], *iov;
+	struct iovec aiov[UIO_SMALLIOV], *iov = aiov;
 	struct netbsd32_iovec *iov32;
 	size_t iovsz;
 	int error;
@@ -346,6 +346,7 @@ netbsd32_sendmsg(struct lwp *l, const st
 		error = copyin32_msg_control(l, &msg);
 		if (error)
 			return (error);
+		/* From here on, msg.msg_control is allocated */
 	} else {
 		msg.msg_control = NULL;
 		msg.msg_controllen = 0;
@@ -353,23 +354,32 @@ netbsd32_sendmsg(struct lwp *l, const st
 
 	iovsz = msg.msg_iovlen * sizeof(struct iovec);
 	if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) {
-		if ((u_int)msg.msg_iovlen > IOV_MAX)
-			return (EMSGSIZE);
+		if ((u_int)msg.msg_iovlen > IOV_MAX) {
+			error = EMSGSIZE;
+			goto out;
+		}
 		iov = kmem_alloc(iovsz, KM_SLEEP);
-	} else
-		iov = aiov;
+	}
 
 	iov32 = NETBSD32PTR64(msg32.msg_iov);
 	error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen);
 	if (error)
-		goto done;
+		goto out;
 	msg.msg_iov = iov;
 
 	error = do_sys_sendmsg(l, SCARG(uap, s), &msg, SCARG(uap, flags), retval);
-done:
+	/* msg.msg_control freed by do_sys_sendmsg() */
+
 	if (iov != aiov)
 		kmem_free(iov, iovsz);
 	return (error);
+
+out:
+	if (iov != aiov)
+		kmem_free(iov, iovsz);
+	if (msg.msg_control)
+		m_free(msg.msg_control);
+	return error;
 }
 
 int

Reply via email to