Author: hiren Date: Mon Sep 26 10:13:58 2016 New Revision: 306337 URL: https://svnweb.freebsd.org/changeset/base/306337
Log: In sendit(), if mp->msg_control is present, then in sockargs() we are allocating mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(), will check validity of file pointer passed, if this fails EBADF is returned but mbuf allocated in sockargs() is not freed. Fix this possible leak. Submitted by: Lohith Bellad <lohith.bel...@me.com> Reviewed by: adrian MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D7910 Modified: head/sys/kern/uipc_syscalls.c Modified: head/sys/kern/uipc_syscalls.c ============================================================================== --- head/sys/kern/uipc_syscalls.c Mon Sep 26 08:21:29 2016 (r306336) +++ head/sys/kern/uipc_syscalls.c Mon Sep 26 10:13:58 2016 (r306337) @@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct static int sendit(struct thread *td, int s, struct msghdr *mp, int flags) { - struct mbuf *control; + struct mbuf *control = NULL; struct sockaddr *to; int error; @@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct bad: free(to, M_SONAME); + if (control) + m_freem(control); return (error); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
