Hi,
while i was debugging dlg@'s diff regarding the bigger mbuf clusters i stumbled
across a bug in the PRU_SEND case in uicp_usrreq.c.
There is a call to sbappendcontrol which can fail, but there is no
error handling done.
If sbappendcontrol fails m will be set to NULL, which just leaks this
mbuf because
it was never put into the sb.
I think the following diff fixes this problem by handly the error correctly.
Index: kern/uipc_usrreq.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.100
diff -u -p -u -p -r1.100 uipc_usrreq.c
--- kern/uipc_usrreq.c 19 Jul 2016 05:30:48 -0000 1.100
+++ kern/uipc_usrreq.c 16 Aug 2016 15:58:32 -0000
@@ -254,6 +254,10 @@ uipc_usrreq(struct socket *so, int req,
if (control) {
if (sbappendcontrol(rcv, m, control))
control = NULL;
+ else {
+ error = ENOBUFS;
+ break;
+ }
} else if (so->so_type == SOCK_SEQPACKET)
sbappendrecord(rcv, m);
else
