d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

In sendit(), if mp->msg_control is present, then in sockargs() we are allocating

Browse Source 
mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(),
will check validity of file pointer passed, if this fails EBADF is returned but
mbuf allocated in sockargs() is not freed. Fix this possible leak.

Submitted by:	Lohith Bellad <lohith.bellad@me.com>
Reviewed by:	adrian
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D7910
This commit is contained in:
hiren 2016-09-26 10:13:58 +00:00
parent e4920be6f2
commit ba20adf76d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/kern/uipc_syscalls.c
View File

@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct socketpair_args *uap)
static int
sendit(struct thread *td, int s, struct msghdr *mp, int flags)
{
struct mbuf *control;
struct mbuf *control = NULL;
struct sockaddr *to;
int error;
@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags)
bad:
free(to, M_SONAME);
if (control)
m_freem(control);
return (error);
}