Date: Sun, 6 Oct 2019 08:47:10 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r353145 - head/sys/netinet Message-ID: <201910060847.x968lABW006728@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sun Oct 6 08:47:10 2019 New Revision: 353145 URL: https://svnweb.freebsd.org/changeset/base/353145 Log: Plumb an mbuf leak in a code path that should not be taken. Also avoid that this path is taken by setting the tail pointer correctly. There is still bug related to handling unordered unfragmented messages which were delayed in deferred handling. This issue was found by OSS-Fuzz testing the usrsctp stack and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794 MFC after: 3 days Modified: head/sys/netinet/sctp_indata.c Modified: head/sys/netinet/sctp_indata.c ============================================================================== --- head/sys/netinet/sctp_indata.c Sun Oct 6 04:36:53 2019 (r353144) +++ head/sys/netinet/sctp_indata.c Sun Oct 6 08:47:10 2019 (r353145) @@ -716,6 +716,7 @@ sctp_add_to_tail_pointer(struct sctp_queued_to_read *c } if (control->tail_mbuf == NULL) { /* TSNH */ + sctp_m_freem(control->data); control->data = m; sctp_setup_tail_pointer(control); return; @@ -2119,10 +2120,13 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc struct mbuf *mm; control->data = dmbuf; + control->tail_mbuf = NULL; for (mm = control->data; mm; mm = mm->m_next) { control->length += SCTP_BUF_LEN(mm); + if (SCTP_BUF_NEXT(mm) == NULL) { + control->tail_mbuf = mm; + } } - control->tail_mbuf = NULL; control->end_added = 1; control->last_frag_seen = 1; control->first_frag_seen = 1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910060847.x968lABW006728>