On 10/21/16, Hiren Panchasara <hi...@freebsd.org> wrote:
> Author: hiren
> Date: Fri Oct 21 18:27:30 2016
> New Revision: 307745
> URL: https://svnweb.freebsd.org/changeset/base/307745
>
> Log:
> Rework r306337.
>
> In sendit(), if mp->msg_control is present, then in sockargs() we are
> allocating mbuf to store mp->msg_control. Later in kern_sendit(), call
> to getsock_cap(), will check validity of file pointer passed, if this
> fails EBADF is returned but mbuf allocated in sockargs() is not freed.
> Made code changes to free the same.
>
> Since freeing control mbuf in sendit() after checking (control != NULL)
> may lead to double freeing of control mbuf in sendit(), we can free
> control mbuf in kern_sendit() if there are any errors in the routine.
>
> Submitted by: Lohith Bellad <lohith.bel...@me.com>
> Reviewed by: glebius
> MFC after: 3 weeks
> Differential Revision: https://reviews.freebsd.org/D8152
Hi Hiren!
What's the status of the MFC? I not see them (this and r306337) in
11-STABLE nor in 10-STABLE branch.
Thanks,
Oliver
>
> Modified:
> head/sys/kern/uipc_syscalls.c
>
> Modified: head/sys/kern/uipc_syscalls.c
> ==============================================================================
> --- head/sys/kern/uipc_syscalls.c Fri Oct 21 17:44:47 2016
> (r307744)
> +++ head/sys/kern/uipc_syscalls.c Fri Oct 21 18:27:30 2016
> (r307745)
> @@ -762,8 +762,10 @@ kern_sendit(struct thread *td, int s, st
> cap_rights_set(&rights, CAP_CONNECT);
> }
> error = getsock_cap(td, s, &rights, &fp, NULL, NULL);
> - if (error != 0)
> + if (error != 0) {
> + m_freem(control);
> return (error);
> + }
> so = (struct socket *)fp->f_data;
>
> #ifdef KTRACE
> @@ -774,12 +776,16 @@ kern_sendit(struct thread *td, int s, st
> if (mp->msg_name != NULL) {
> error = mac_socket_check_connect(td->td_ucred, so,
> mp->msg_name);
> - if (error != 0)
> + if (error != 0) {
> + m_freem(control);
> goto bad;
> + }
> }
> error = mac_socket_check_send(td->td_ucred, so);
> - if (error != 0)
> + if (error != 0) {
> + m_freem(control);
> goto bad;
> + }
> #endif
>
> auio.uio_iov = mp->msg_iov;
> @@ -793,6 +799,7 @@ kern_sendit(struct thread *td, int s, st
> for (i = 0; i < mp->msg_iovlen; i++, iov++) {
> if ((auio.uio_resid += iov->iov_len) < 0) {
> error = EINVAL;
> + m_freem(control);
> goto bad;
> }
> }
> _______________________________________________
> svn-src-head@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
>
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
