Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Mar 2026 01:25:22 +0000
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Michael Tuexen <tuexen@FreeBSD.org>
Subject:   git: 1fddb5435315 - stable/15 - tcp: plug an mbuf leak
Message-ID:  <69c48b02.47ee6.519c42bb@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=1fddb5435315ca44c96960b16bdda8338afd15a1

commit 1fddb5435315ca44c96960b16bdda8338afd15a1
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2026-03-25 05:53:56 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2026-03-26 01:25:02 +0000

    tcp: plug an mbuf leak
    
    When a challenge ACK should be sent via tcp_send_challenge_ack(),
    but the rate limiter suppresses the sending, free the mbuf chain.
    The caller of tcp_send_challenge_ack() expects this similar to the
    callers of tcp_respond().
    
    Approved by:    so
    Security:       FreeBSD-SA-26:06.tcp
    Security:       CVE-2026-4247
    Reviewed by:    lstewart
    Tested by:      lstewart
    Sponsored by:   Netflix, Inc.
    
    (cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
---
 sys/netinet/tcp_subr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index b6f428b279b3..5e2b1eb1a86d 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -2202,6 +2202,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
 		tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
 		    tp->snd_nxt, TH_ACK);
 		tp->last_ack_sent = tp->rcv_nxt;
+	} else {
+		m_freem(m);
 	}
 }
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c48b02.47ee6.519c42bb>