Date: Thu, 26 Mar 2026 01:11:18 +0000 From: Philip Paeps <philip@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Michael Tuexen <tuexen@FreeBSD.org> Subject: git: de9e5d82581e - releng/15.0 - tcp: plug an mbuf leak Message-ID: <69c487b6.18d17.527e7a93@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/15.0 has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=de9e5d82581ec1afd8d8da62a4cd8345ebae5564 commit de9e5d82581ec1afd8d8da62a4cd8345ebae5564 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2026-03-25 05:53:56 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2026-03-25 06:50:41 +0000 tcp: plug an mbuf leak When a challenge ACK should be sent via tcp_send_challenge_ack(), but the rate limiter suppresses the sending, free the mbuf chain. The caller of tcp_send_challenge_ack() expects this similar to the callers of tcp_respond(). Approved by: so Security: FreeBSD-SA-26:06.tcp Security: CVE-2026-4247 Reviewed by: lstewart Tested by: lstewart Sponsored by: Netflix, Inc. --- sys/netinet/tcp_subr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index b6f428b279b3..5e2b1eb1a86d 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -2202,6 +2202,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m) tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt, tp->snd_nxt, TH_ACK); tp->last_ack_sent = tp->rcv_nxt; + } else { + m_freem(m); } }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c487b6.18d17.527e7a93>