svn commit: r353401 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Thu Oct 10 14:52:49 UTC 2019
Author: tuexen
Date: Thu Oct 10 14:52:48 2019
New Revision: 353401
URL: https://svnweb.freebsd.org/changeset/base/353401
Log:
MFC r353145:
Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported
in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794
Modified:
stable/12/sys/netinet/sctp_indata.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c Thu Oct 10 14:51:38 2019 (r353400)
+++ stable/12/sys/netinet/sctp_indata.c Thu Oct 10 14:52:48 2019 (r353401)
@@ -716,6 +716,7 @@ sctp_add_to_tail_pointer(struct sctp_queued_to_read *c
}
if (control->tail_mbuf == NULL) {
/* TSNH */
+ sctp_m_freem(control->data);
control->data = m;
sctp_setup_tail_pointer(control);
return;
@@ -2119,10 +2120,13 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc
struct mbuf *mm;
control->data = dmbuf;
+ control->tail_mbuf = NULL;
for (mm = control->data; mm; mm = mm->m_next) {
control->length += SCTP_BUF_LEN(mm);
+ if (SCTP_BUF_NEXT(mm) == NULL) {
+ control->tail_mbuf = mm;
+ }
}
- control->tail_mbuf = NULL;
control->end_added = 1;
control->last_frag_seen = 1;
control->first_frag_seen = 1;
More information about the svn-src-all
mailing list