Date: Sat, 9 Jul 2016 00:13:35 +0000 From: Sreekanth Rupavatharam <rupavath@juniper.net> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: mbuf leak in kern_sendit? Message-ID: <1286BFDE-9238-4967-913F-26E0E28D0F74@juniper.net>
next in thread | raw e-mail | index | archive | help
I see in kern_sendit() function(stable/10), the control mbuf doesn’t get freed on error. E.g.,
914 if (mp->msg_name != NULL) {
915 error = mac_socket_check_connect(td->td_ucred, so,
916 mp->msg_name);
917 if (error != 0)
918 goto bad; ⇐ Here
919 }
or
933 for (i = 0; i < mp->msg_iovlen; i++, iov++) {
934 if ((auio.uio_resid += iov->iov_len) < 0) {
935 error = EINVAL;
936 goto bad; ⇐ Here
937 }
938 }
965 bad:
966 fdrop(fp, td);
967 return (error);
No free of control mbuf here either.
Actually, the only place where the mbuf gets freed is when it calls pru_sosend where it gets freed in there. Am I missing something here? E.g., tracking the call trace from sendit
sendit()
sockargs() -> control mbuf is allocated here
kern_sendit() -> it’s freed only on pru_sosend()
control not freed on error. Am I missing something?
Thanks,
-Sreekanth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1286BFDE-9238-4967-913F-26E0E28D0F74>