d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix leak in tcp_lro_rx. Simply clearing M_PKTHDR isn't enough, any tags

Browse Source 
hanging off the header need to be freed too.

Differential Revision:	https://reviews.freebsd.org/D2708
Reviewed by:	ae@, hiren@
This commit is contained in:
Navdeep Parhar 2015-06-30 17:19:58 +00:00
parent c4f9c760c9
commit 9523d1bfc3
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=284961
3 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
sys/kern/uipc_mbuf.c
View File

@ -420,6 +420,17 @@ mb_dupcl(struct mbuf *n, struct mbuf *m)
n->m_flags |= m->m_flags & M_RDONLY;
}
void
m_demote_pkthdr(struct mbuf *m)
{
M_ASSERTPKTHDR(m);
m_tag_delete_chain(m, NULL);
m->m_flags &= ~M_PKTHDR;
bzero(&m->m_pkthdr, sizeof(struct pkthdr));
}
/*
* Clean up mbuf (chain) from any tags and packet headers.
* If "all" is set then the first mbuf in the chain will be
@ -433,11 +444,8 @@ m_demote(struct mbuf *m0, int all, int flags)
for (m = all ? m0 : m0->m_next; m != NULL; m = m->m_next) {
KASSERT(m->m_nextpkt == NULL, ("%s: m_nextpkt in m %p, m0 %p",
__func__, m, m0));
if (m->m_flags & M_PKTHDR) {
m_tag_delete_chain(m, NULL);
m->m_flags &= ~M_PKTHDR;
bzero(&m->m_pkthdr, sizeof(struct pkthdr));
}
if (m->m_flags & M_PKTHDR)
m_demote_pkthdr(m);
m->m_flags = m->m_flags & (M_EXT | M_RDONLY | M_NOFREE | flags);
}
}

2
sys/netinet/tcp_lro.c
View File

@ -550,7 +550,7 @@ tcp_lro_rx(struct lro_ctrl *lc, struct mbuf *m, uint32_t csum)
* append new segment to existing mbuf chain.
*/
m_adj(m, m->m_pkthdr.len - tcp_data_len);
m->m_flags &= ~M_PKTHDR;
m_demote_pkthdr(m);
le->m_tail->m_next = m;
le->m_tail = m_last(m);

1
sys/sys/mbuf.h
View File

@ -959,6 +959,7 @@ struct mbuf *m_copypacket(struct mbuf *, int);
void m_copy_pkthdr(struct mbuf *, struct mbuf *);
struct mbuf *m_copyup(struct mbuf *, int, int);
struct mbuf *m_defrag(struct mbuf *, int);
void m_demote_pkthdr(struct mbuf *);
void m_demote(struct mbuf *, int, int);
struct mbuf *m_devget(char *, int, int, struct ifnet *,
void (*)(char *, caddr_t, u_int));