From 51088797305c8aba43e8ded60b99eef5baa14071 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Sun, 11 Dec 2022 11:40:12 -0500 Subject: [PATCH] bridge: Fix a potential memory leak in bridge_enqueue() A comment at the beginning of the function notes that we may be transmitting multiple fragments as distinct packets. So, the function loops over all fragments, transmitting each mbuf chain. If if_transmit fails, we need to free all of the fragments, but m_freem() only frees an mbuf chain - it doesn't follow m_nextpkt. Change the error handler to free each untransmitted packet fragment, and count each fragment as a separate error since we increment OPACKETS once per fragment when transmission is successful. Reviewed by: zlei, kp MFC after: 1 week Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D37635 --- sys/net/if_bridge.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index e8e552aa1853..5c3ce137931c 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -2062,8 +2062,13 @@ bridge_enqueue(struct bridge_softc *sc, struct ifnet *dst_ifp, struct mbuf *m) M_ASSERTPKTHDR(m); /* We shouldn't transmit mbuf without pkthdr */ if ((err = dst_ifp->if_transmit(dst_ifp, m))) { - m_freem(m0); - if_inc_counter(sc->sc_ifp, IFCOUNTER_OERRORS, 1); + int n; + + for (m = m0, n = 1; m != NULL; m = m0, n++) { + m0 = m->m_nextpkt; + m_freem(m); + } + if_inc_counter(sc->sc_ifp, IFCOUNTER_OERRORS, n); break; }