git: 67e469299821 - stable/14 - tcp: improve mbuf handling when processing SYN segments

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Thu, 31 Oct 2024 13:57:43 UTC
The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=67e469299821c9b02b26e1b379f2b1754fee536c

commit 67e469299821c9b02b26e1b379f2b1754fee536c
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-30 18:00:04 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-10-31 11:36:12 +0000

    tcp: improve mbuf handling when processing SYN segments
    
    When the sysctl-variable net.inet.ip.accept_sourceroute is non-zero,
    an mbuf would be leaked when processing a SYN-segment containing an
    IPv4 strict or loose source routing option, when the on-stack
    syncache entry is used or there is an error related to processing
    TCP MD5 options.
    Fix this by freeing the mbuf whenever an error occurred or the
    on-stack syncache entry is used.
    
    Reviewed by:            markj, rscheff
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D46839
    
    (cherry picked from commit 01eb635d12953e24ee5fae69692c28e4aab4f0f6)
---
 sys/netinet/tcp_syncache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index c0c571fb76c2..6d171b2b7ea6 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1614,8 +1614,6 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 				    ("%s: bucket unexpectedly unlocked",
 				    __func__));
 				SCH_UNLOCK(sch);
-				if (ipopts)
-					(void)m_free(ipopts);
 				goto done;
 			}
 		}
@@ -1785,6 +1783,8 @@ tfo_expanded:
 #ifdef MAC
 		mac_syncache_destroy(&maclabel);
 #endif
+		if (ipopts)
+			(void)m_free(ipopts);
 	}
 	return (rv);
 }