Date: Tue, 7 Jun 2016 19:49:08 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301563 - head/sys/net Message-ID: <201606071949.u57Jn8R0027275@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Tue Jun 7 19:49:08 2016 New Revision: 301563 URL: https://svnweb.freebsd.org/changeset/base/301563 Log: iflib: Fix potential leak in iflib_if_transmit Due to an accidental mismatch between allocation and release in the slow path of iflib_if_transmit, if a caller passed 9-16 mbufs to the routine, the mbuf array would be leaked. Fix the mismatch by removing the magic numbers in favor of nitems() on the stack array. According to mmacy, this leak is unlikely. Reported by: Coverity Discussed with: mmacy CID: 1356040 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/net/iflib.c Modified: head/sys/net/iflib.c ============================================================================== --- head/sys/net/iflib.c Tue Jun 7 19:08:13 2016 (r301562) +++ head/sys/net/iflib.c Tue Jun 7 19:49:08 2016 (r301563) @@ -3085,7 +3085,7 @@ iflib_if_transmit(if_t ifp, struct mbuf next = next->m_nextpkt; } while (next != NULL); - if (count > 8) + if (count > nitems(marr)) if ((mp = malloc(count*sizeof(struct mbuf *), M_IFLIB, M_NOWAIT)) == NULL) { /* XXX check nextpkt */ m_freem(m); @@ -3112,7 +3112,7 @@ iflib_if_transmit(if_t ifp, struct mbuf m_freem(mp[i]); ifmp_ring_check_drainage(txq->ift_br[0], TX_BATCH_SIZE); } - if (count > 16) + if (count > nitems(marr)) free(mp, M_IFLIB); return (err);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606071949.u57Jn8R0027275>