From owner-svn-src-stable@freebsd.org Sun Dec 11 23:36:12 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AEFCC73A7D; Sun, 11 Dec 2016 23:36:12 +0000 (UTC) (envelope-from hiren@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FFFF1B23; Sun, 11 Dec 2016 23:36:12 +0000 (UTC) (envelope-from hiren@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBBNaB0F001116; Sun, 11 Dec 2016 23:36:11 GMT (envelope-from hiren@FreeBSD.org) Received: (from hiren@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBBNaB9u001115; Sun, 11 Dec 2016 23:36:11 GMT (envelope-from hiren@FreeBSD.org) Message-Id: <201612112336.uBBNaB9u001115@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hiren set sender to hiren@FreeBSD.org using -f From: Hiren Panchasara Date: Sun, 11 Dec 2016 23:36:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r309859 - stable/11/sys/kern X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2016 23:36:12 -0000 Author: hiren Date: Sun Dec 11 23:36:11 2016 New Revision: 309859 URL: https://svnweb.freebsd.org/changeset/base/309859 Log: MFC r307745 In sendit(), if mp->msg_control is present, then in sockargs() we are allocating mbuf to store mp->msg_control. Later in kern_sendit(), call to getsock_cap(), will check validity of file pointer passed, if this fails EBADF is returned but mbuf allocated in sockargs() is not freed. Made code changes to free the same. Since freeing control mbuf in sendit() after checking (control != NULL) may lead to double freeing of control mbuf in sendit(), we can free control mbuf in kern_sendit() if there are any errors in the routine. Submitted by: Lohith Bellad Modified: stable/11/sys/kern/uipc_syscalls.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/kern/uipc_syscalls.c ============================================================================== --- stable/11/sys/kern/uipc_syscalls.c Sun Dec 11 23:14:47 2016 (r309858) +++ stable/11/sys/kern/uipc_syscalls.c Sun Dec 11 23:36:11 2016 (r309859) @@ -806,8 +806,10 @@ kern_sendit(td, s, mp, flags, control, s cap_rights_set(&rights, CAP_CONNECT); } error = getsock_cap(td, s, &rights, &fp, NULL); - if (error != 0) + if (error != 0) { + m_freem(control); return (error); + } so = (struct socket *)fp->f_data; #ifdef KTRACE @@ -818,12 +820,16 @@ kern_sendit(td, s, mp, flags, control, s if (mp->msg_name != NULL) { error = mac_socket_check_connect(td->td_ucred, so, mp->msg_name); - if (error != 0) + if (error != 0) { + m_freem(control); goto bad; + } } error = mac_socket_check_send(td->td_ucred, so); - if (error != 0) + if (error != 0) { + m_freem(control); goto bad; + } #endif auio.uio_iov = mp->msg_iov; @@ -837,6 +843,7 @@ kern_sendit(td, s, mp, flags, control, s for (i = 0; i < mp->msg_iovlen; i++, iov++) { if ((auio.uio_resid += iov->iov_len) < 0) { error = EINVAL; + m_freem(control); goto bad; } }