From 702828f643e206a226497377736a66a51697aa7c Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Fri, 25 Oct 2019 16:29:09 +0000 Subject: [PATCH] frag6: do not leak counter in error cases When allocating the IPv6 fragement packet queue entry we do checks against counters and if we pass we increment one of the counters to claim the spot. Right after that we have two cases (malloc and MAC) which can both fail in which case we free the entry but never released our claim on the counter. In theory this can lead to not accepting new fragments after a long time, especially if it would be MAC "refusing" them. Rather than immediately subtracting the value in the error case, only increment it after these two cases so we can no longer leak it. MFC after: 3 weeks Sponsored by: Netflix --- sys/netinet6/frag6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index 1b4f6f822d80..68eddf597830 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -528,7 +528,6 @@ frag6_input(struct mbuf **mp, int *offp, int proto) atomic_load_int(&V_frag6_nfragpackets) >= (u_int)V_ip6_maxfragpackets) goto dropfrag; - atomic_add_int(&V_frag6_nfragpackets, 1); /* Allocate IPv6 fragement packet queue entry. */ q6 = (struct ip6q *)malloc(sizeof(struct ip6q), M_FRAG6, @@ -542,6 +541,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) } mac_ip6q_create(m, q6); #endif + atomic_add_int(&V_frag6_nfragpackets, 1); /* ip6q_nxt will be filled afterwards, from 1st fragment. */ TAILQ_INIT(&q6->ip6q_frags);