Date: Tue, 9 Dec 1997 14:20:32 -0800 From: "Hong, Joo" <JHong@canoga.com> To: "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org> Subject: possible bug in sosend() function in uipc_soc.c Message-ID: <9A6665E753FAD011AF4C00A0C955B1070CEDF9@netmail.canoga.com>
next in thread | raw e-mail | index | archive | help
Hi, I think this may be a bug in the following code.
sosend() ..............
...........................
mp = &m->m_next;
if (resid <= 0) {
if (flags & MSG_EOR)
top->m_flags |= M_EOR;
break;
}
} while (space > 0 && atomic);
if (dontroute)
so->so_options |= SO_DONTROUTE;
s = splnet(); /* XXX
*/
error = (*so->so_proto->pr_usrreqs->pru_send)(so,
(flags & MSG_OOB) ? PRUS_OOB :
/*
* If the user set MSG_EOF, the protocol
* understands this flag and nothing left to
* send then use PRU_SEND_EOF instead of
PRU_SEND.
*/
((flags & MSG_EOF) &&
(so->so_proto->pr_flags & PR_IMPLOPCL) &&
(resid <= 0)) ?
PRUS_EOF : 0,
top, addr, control, p);
splx(s);
if (dontroute)
so->so_options &= ~SO_DONTROUTE;
clen = 0;
control = 0;
top = 0;
mp = ⊤
if (error)
goto release;
} while (resid && space > 0);
} while (resid);
release:
sbunlock(&so->so_snd);
out:
if (top)
m_freem(top);
if (control)
m_freem(control);
return (error);
}
Let assume that there is a TCP connection.
(*so->so_proto->pr_usrreqs->pru_send) will normally go to tcp_usr_send.
Now if there is an error in the COMMON_START, tcp_usr_send will return
with an error EINVAL. The above
code check the error after the top and control variables have been set
to zero. The m_freem(top) and
m_freem(control) will not free any buffers and the buffers will be lost.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9A6665E753FAD011AF4C00A0C955B1070CEDF9>