In sendit(), if mp->msg_control is present, then in sockargs() we are allocating

mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(),
will check validity of file pointer passed, if this fails EBADF is returned but
mbuf allocated in sockargs() is not freed. Fix this possible leak.

Submitted by:	Lohith Bellad <lohith.bellad@me.com>
Reviewed by:	adrian
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D7910
This commit is contained in:
hiren 2016-09-26 10:13:58 +00:00
parent e4920be6f2
commit ba20adf76d

View File

@ -685,7 +685,7 @@ sys_socketpair(struct thread *td, struct socketpair_args *uap)
static int static int
sendit(struct thread *td, int s, struct msghdr *mp, int flags) sendit(struct thread *td, int s, struct msghdr *mp, int flags)
{ {
struct mbuf *control; struct mbuf *control = NULL;
struct sockaddr *to; struct sockaddr *to;
int error; int error;
@ -737,6 +737,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags)
bad: bad:
free(to, M_SONAME); free(to, M_SONAME);
if (control)
m_freem(control);
return (error); return (error);
} }