Author: tuexen Date: Thu Oct 10 14:52:48 2019 New Revision: 353401 URL: https://svnweb.freebsd.org/changeset/base/353401
Log: MFC r353145: Plumb an mbuf leak in a code path that should not be taken. Also avoid that this path is taken by setting the tail pointer correctly. There is still bug related to handling unordered unfragmented messages which were delayed in deferred handling. This issue was found by OSS-Fuzz testing the usrsctp stack and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794 Modified: stable/12/sys/netinet/sctp_indata.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_indata.c ============================================================================== --- stable/12/sys/netinet/sctp_indata.c Thu Oct 10 14:51:38 2019 (r353400) +++ stable/12/sys/netinet/sctp_indata.c Thu Oct 10 14:52:48 2019 (r353401) @@ -716,6 +716,7 @@ sctp_add_to_tail_pointer(struct sctp_queued_to_read *c } if (control->tail_mbuf == NULL) { /* TSNH */ + sctp_m_freem(control->data); control->data = m; sctp_setup_tail_pointer(control); return; @@ -2119,10 +2120,13 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc struct mbuf *mm; control->data = dmbuf; + control->tail_mbuf = NULL; for (mm = control->data; mm; mm = mm->m_next) { control->length += SCTP_BUF_LEN(mm); + if (SCTP_BUF_NEXT(mm) == NULL) { + control->tail_mbuf = mm; + } } - control->tail_mbuf = NULL; control->end_added = 1; control->last_frag_seen = 1; control->first_frag_seen = 1; _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
