In sendit(), if mp->msg_control is present, then in sockargs() we are allocating
mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(), will check validity of file pointer passed, if this fails EBADF is returned but mbuf allocated in sockargs() is not freed. Fix this possible leak. Submitted by: Lohith Bellad <lohith.bellad@me.com> Reviewed by: adrian MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D7910
This commit is contained in:
parent
e4920be6f2
commit
ba20adf76d
@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct socketpair_args *uap)
|
|||||||
static int
|
static int
|
||||||
sendit(struct thread *td, int s, struct msghdr *mp, int flags)
|
sendit(struct thread *td, int s, struct msghdr *mp, int flags)
|
||||||
{
|
{
|
||||||
struct mbuf *control;
|
struct mbuf *control = NULL;
|
||||||
struct sockaddr *to;
|
struct sockaddr *to;
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags)
|
|||||||
|
|
||||||
bad:
|
bad:
|
||||||
free(to, M_SONAME);
|
free(to, M_SONAME);
|
||||||
|
if (control)
|
||||||
|
m_freem(control);
|
||||||
return (error);
|
return (error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user