Date: Tue, 9 Dec 1997 14:20:32 -0800 From: "Hong, Joo" <JHong@canoga.com> To: "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org> Subject: possible bug in sosend() function in uipc_soc.c Message-ID: <9A6665E753FAD011AF4C00A0C955B1070CEDF9@netmail.canoga.com>
next in thread | raw e-mail | index | archive | help
Hi, I think this may be a bug in the following code. sosend() .............. ........................... mp = &m->m_next; if (resid <= 0) { if (flags & MSG_EOR) top->m_flags |= M_EOR; break; } } while (space > 0 && atomic); if (dontroute) so->so_options |= SO_DONTROUTE; s = splnet(); /* XXX */ error = (*so->so_proto->pr_usrreqs->pru_send)(so, (flags & MSG_OOB) ? PRUS_OOB : /* * If the user set MSG_EOF, the protocol * understands this flag and nothing left to * send then use PRU_SEND_EOF instead of PRU_SEND. */ ((flags & MSG_EOF) && (so->so_proto->pr_flags & PR_IMPLOPCL) && (resid <= 0)) ? PRUS_EOF : 0, top, addr, control, p); splx(s); if (dontroute) so->so_options &= ~SO_DONTROUTE; clen = 0; control = 0; top = 0; mp = ⊤ if (error) goto release; } while (resid && space > 0); } while (resid); release: sbunlock(&so->so_snd); out: if (top) m_freem(top); if (control) m_freem(control); return (error); } Let assume that there is a TCP connection. (*so->so_proto->pr_usrreqs->pru_send) will normally go to tcp_usr_send. Now if there is an error in the COMMON_START, tcp_usr_send will return with an error EINVAL. The above code check the error after the top and control variables have been set to zero. The m_freem(top) and m_freem(control) will not free any buffers and the buffers will be lost.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9A6665E753FAD011AF4C00A0C955B1070CEDF9>