svn commit: r362859 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Wed Jul 1 20:26:36 UTC 2020
Author: tuexen
Date: Wed Jul 1 20:26:35 2020
New Revision: 362859
URL: https://svnweb.freebsd.org/changeset/base/362859
Log:
MFC r355135: Plug two mbuf leaks during INIT-ACK handling.
One leak happens when there is not enough memory to allocate the
the resources for streams. The other leak happens if the are
unknown parameters in the received INIT-ACK chunk which require
reporting and the INIT-ACK requires sending an ABORT due to illegal
parameter combinations.
Hopefully this fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19083
Modified:
stable/12/sys/netinet/sctp_input.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_input.c
==============================================================================
--- stable/12/sys/netinet/sctp_input.c Wed Jul 1 20:09:34 2020 (r362858)
+++ stable/12/sys/netinet/sctp_input.c Wed Jul 1 20:26:35 2020 (r362859)
@@ -495,6 +495,9 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int
/* process the peer's parameters in the INIT-ACK */
retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb);
if (retval < 0) {
+ if (op_err != NULL) {
+ sctp_m_freem(op_err);
+ }
return (retval);
}
initack_limit = offset + ntohs(cp->ch.chunk_length);
@@ -502,6 +505,9 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int
if ((retval = sctp_load_addresses_from_init(stcb, m,
(offset + sizeof(struct sctp_init_chunk)), initack_limit,
src, dst, NULL, stcb->asoc.port))) {
+ if (op_err != NULL) {
+ sctp_m_freem(op_err);
+ }
op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
"Problem with address parameters");
SCTPDBG(SCTP_DEBUG_INPUT1,
More information about the svn-src-stable
mailing list