svn commit: r360745 - stable/11/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Thu May 7 02:13:29 UTC 2020
Author: tuexen
Date: Thu May 7 02:13:28 2020
New Revision: 360745
URL: https://svnweb.freebsd.org/changeset/base/360745
Log:
MFC r353145: Plump a memory leak
Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794
Modified:
stable/11/sys/netinet/sctp_indata.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet/sctp_indata.c
==============================================================================
--- stable/11/sys/netinet/sctp_indata.c Thu May 7 02:10:44 2020 (r360744)
+++ stable/11/sys/netinet/sctp_indata.c Thu May 7 02:13:28 2020 (r360745)
@@ -714,6 +714,7 @@ sctp_add_to_tail_pointer(struct sctp_queued_to_read *c
}
if (control->tail_mbuf == NULL) {
/* TSNH */
+ sctp_m_freem(control->data);
control->data = m;
sctp_setup_tail_pointer(control);
return;
@@ -2117,10 +2118,13 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc
struct mbuf *mm;
control->data = dmbuf;
+ control->tail_mbuf = NULL;
for (mm = control->data; mm; mm = mm->m_next) {
control->length += SCTP_BUF_LEN(mm);
+ if (SCTP_BUF_NEXT(mm) == NULL) {
+ control->tail_mbuf = mm;
+ }
}
- control->tail_mbuf = NULL;
control->end_added = 1;
control->last_frag_seen = 1;
control->first_frag_seen = 1;
More information about the svn-src-stable-11
mailing list