git: 01eb635d1295 - main - tcp: improve mbuf handling when processing SYN segments

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Mon, 30 Sep 2024 18:03:05 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=01eb635d12953e24ee5fae69692c28e4aab4f0f6

commit 01eb635d12953e24ee5fae69692c28e4aab4f0f6
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-30 18:00:04 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-09-30 18:00:04 +0000

    tcp: improve mbuf handling when processing SYN segments
    
    When the sysctl-variable net.inet.ip.accept_sourceroute is non-zero,
    an mbuf would be leaked when processing a SYN-segment containing an
    IPv4 strict or loose source routing option, when the on-stack
    syncache entry is used or there is an error related to processing
    TCP MD5 options.
    Fix this by freeing the mbuf whenever an error occurred or the
    on-stack syncache entry is used.
    
    Reviewed by:            markj, rscheff
    MFC after:              1 week
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D46839
---
 sys/netinet/tcp_syncache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 04a964cf40cc..cb175d07c4d2 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1604,8 +1604,6 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 				    ("%s: bucket unexpectedly unlocked",
 				    __func__));
 				SCH_UNLOCK(sch);
-				if (ipopts)
-					(void)m_free(ipopts);
 				goto done;
 			}
 		}
@@ -1775,6 +1773,8 @@ tfo_expanded:
 #ifdef MAC
 		mac_syncache_destroy(&maclabel);
 #endif
+		if (ipopts)
+			(void)m_free(ipopts);
 	}
 	return (rv);
 }