From owner-svn-src-head@freebsd.org  Tue Jun  7 19:49:09 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F860B6D5B6;
 Tue,  7 Jun 2016 19:49:09 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 204951F24;
 Tue,  7 Jun 2016 19:49:09 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u57Jn84K027276;
 Tue, 7 Jun 2016 19:49:08 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u57Jn8R0027275;
 Tue, 7 Jun 2016 19:49:08 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201606071949.u57Jn8R0027275@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: "Conrad E. Meyer" <cem@FreeBSD.org>
Date: Tue, 7 Jun 2016 19:49:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r301563 - head/sys/net
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 19:49:09 -0000

Author: cem
Date: Tue Jun  7 19:49:08 2016
New Revision: 301563
URL: https://svnweb.freebsd.org/changeset/base/301563

Log:
  iflib: Fix potential leak in iflib_if_transmit
  
  Due to an accidental mismatch between allocation and release in the slow path
  of iflib_if_transmit, if a caller passed 9-16 mbufs to the routine, the mbuf
  array would be leaked.
  
  Fix the mismatch by removing the magic numbers in favor of nitems() on the
  stack array.  According to mmacy, this leak is unlikely.
  
  Reported by:	Coverity
  Discussed with:	mmacy
  CID:		1356040
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sys/net/iflib.c

Modified: head/sys/net/iflib.c
==============================================================================
--- head/sys/net/iflib.c	Tue Jun  7 19:08:13 2016	(r301562)
+++ head/sys/net/iflib.c	Tue Jun  7 19:49:08 2016	(r301563)
@@ -3085,7 +3085,7 @@ iflib_if_transmit(if_t ifp, struct mbuf 
 		next = next->m_nextpkt;
 	} while (next != NULL);
 
-	if (count > 8)
+	if (count > nitems(marr))
 		if ((mp = malloc(count*sizeof(struct mbuf *), M_IFLIB, M_NOWAIT)) == NULL) {
 			/* XXX check nextpkt */
 			m_freem(m);
@@ -3112,7 +3112,7 @@ iflib_if_transmit(if_t ifp, struct mbuf 
 			m_freem(mp[i]);
 		ifmp_ring_check_drainage(txq->ift_br[0], TX_BATCH_SIZE);
 	}
-	if (count > 16)
+	if (count > nitems(marr))
 		free(mp, M_IFLIB);
 
 	return (err);