From owner-svn-src-head@freebsd.org Tue Apr 26 23:02:19 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1B94B1D7A3; Tue, 26 Apr 2016 23:02:19 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87FC610FF; Tue, 26 Apr 2016 23:02:19 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u3QN2Ixs085307; Tue, 26 Apr 2016 23:02:18 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u3QN2IqC085306; Tue, 26 Apr 2016 23:02:18 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201604262302.u3QN2IqC085306@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: "Conrad E. Meyer" Date: Tue, 26 Apr 2016 23:02:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298673 - head/sys/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 23:02:20 -0000 Author: cem Date: Tue Apr 26 23:02:18 2016 New Revision: 298673 URL: https://svnweb.freebsd.org/changeset/base/298673 Log: tcp_usrreq: Free allocated buffer in relock case The disgusting macro INP_WLOCK_RECHECK may early-return. In tcp_default_ctloutput() the TCP_CCALGOOPT case allocates memory before invoking this macro, which may leak memory. Add a _CLEANUP variant that takes a code argument to perform variable cleanup in the early return path. Use it to free the 'pbuf' allocated in tcp_default_ctloutput(). I am not especially happy with this macro, but I reckon it's not any worse than INP_WLOCK_RECHECK already was. Reported by: Coverity CID: 1350286 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/netinet/tcp_usrreq.c Modified: head/sys/netinet/tcp_usrreq.c ============================================================================== --- head/sys/netinet/tcp_usrreq.c Tue Apr 26 22:32:33 2016 (r298672) +++ head/sys/netinet/tcp_usrreq.c Tue Apr 26 23:02:18 2016 (r298673) @@ -1361,14 +1361,16 @@ tcp_fill_info(struct tcpcb *tp, struct t * has to revalidate that the connection is still valid for the socket * option. */ -#define INP_WLOCK_RECHECK(inp) do { \ +#define INP_WLOCK_RECHECK_CLEANUP(inp, cleanup) do { \ INP_WLOCK(inp); \ if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { \ INP_WUNLOCK(inp); \ + cleanup; \ return (ECONNRESET); \ } \ tp = intotcpcb(inp); \ } while(0) +#define INP_WLOCK_RECHECK(inp) INP_WLOCK_RECHECK_CLEANUP((inp), /* noop */) int tcp_ctloutput(struct socket *so, struct sockopt *sopt) @@ -1497,7 +1499,7 @@ tcp_default_ctloutput(struct socket *so, free(pbuf, M_TEMP); return (error); } - INP_WLOCK_RECHECK(inp); + INP_WLOCK_RECHECK_CLEANUP(inp, free(pbuf, M_TEMP)); if (CC_ALGO(tp)->ctl_output != NULL) error = CC_ALGO(tp)->ctl_output(tp->ccv, sopt, pbuf); else @@ -1838,6 +1840,7 @@ unlock_and_done: return (error); } #undef INP_WLOCK_RECHECK +#undef INP_WLOCK_RECHECK_CLEANUP /* * Attach TCP protocol to socket, allocating