From owner-freebsd-hackers Tue Dec 9 14:30:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA12588 for hackers-outgoing; Tue, 9 Dec 1997 14:30:30 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12544 for ; Tue, 9 Dec 1997 14:30:20 -0800 (PST) (envelope-from JHong@canoga.com) Received: from netmail.canoga.com by relay2.smtp.psi.net (8.8.5/SMI-5.4-PSI) id RAA29728; Tue, 9 Dec 1997 17:30:17 -0500 (EST) Received: by netmail.canoga.com with Internet Mail Service (5.0.1458.49) id ; Tue, 9 Dec 1997 14:20:34 -0800 Message-ID: <9A6665E753FAD011AF4C00A0C955B1070CEDF9@netmail.canoga.com> From: "Hong, Joo" To: "'freebsd-hackers@freebsd.org'" Subject: possible bug in sosend() function in uipc_soc.c Date: Tue, 9 Dec 1997 14:20:32 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I think this may be a bug in the following code. sosend() .............. ........................... mp = &m->m_next; if (resid <= 0) { if (flags & MSG_EOR) top->m_flags |= M_EOR; break; } } while (space > 0 && atomic); if (dontroute) so->so_options |= SO_DONTROUTE; s = splnet(); /* XXX */ error = (*so->so_proto->pr_usrreqs->pru_send)(so, (flags & MSG_OOB) ? PRUS_OOB : /* * If the user set MSG_EOF, the protocol * understands this flag and nothing left to * send then use PRU_SEND_EOF instead of PRU_SEND. */ ((flags & MSG_EOF) && (so->so_proto->pr_flags & PR_IMPLOPCL) && (resid <= 0)) ? PRUS_EOF : 0, top, addr, control, p); splx(s); if (dontroute) so->so_options &= ~SO_DONTROUTE; clen = 0; control = 0; top = 0; mp = ⊤ if (error) goto release; } while (resid && space > 0); } while (resid); release: sbunlock(&so->so_snd); out: if (top) m_freem(top); if (control) m_freem(control); return (error); } Let assume that there is a TCP connection. (*so->so_proto->pr_usrreqs->pru_send) will normally go to tcp_usr_send. Now if there is an error in the COMMON_START, tcp_usr_send will return with an error EINVAL. The above code check the error after the top and control variables have been set to zero. The m_freem(top) and m_freem(control) will not free any buffers and the buffers will be lost.