Subject: kern/36768: memory leek in ipcomp_output.c
To: None <,,>
From: Wolfgang Stukenbrock <>
List: netbsd-bugs
Date: 08/10/2007 17:00:00
>Number:         36768
>Category:       kern
>Synopsis:       memory leek in ipcomp_output.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 10 17:00:00 +0000 2007
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 3.1
Dr. Nagler & Company GmbH
System: NetBSD test-s0 3.1 NetBSD 3.1 (test-s0) #0: Tue Apr 3 11:33:43 CEST 2007 root@test-s0:/usr/src/sys/arch/i386/compile/test-s0 i386
Architecture: i386
Machine: i386
	In the file netinet6/ipcomp_output.c in function ipcomp_output()
	the mbuf gets copied prior compression.
	After successfull compression theese copies will be freed again.
	IN the AF_INET case (line 303 ff.), if the resulting size exceeds
	IP_MAXPACKET, the copy "mcopy" is not freed again.
	-> memory leak !
	If the resulting packet is small enougth, the copy will be freed
	directly in front of the "return 0" in line 336.
	not relevant.
	free mcopy prior "goto fail:" in line 312 as done in line 202.