[src/trunk]: src/sys/compat/netbsd32 Memory leak, triggerable from an unprivi...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/74969da4f145
branches:  trunk
changeset: 809580:74969da4f145
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jul 22 14:25:39 2015 +0000

description:
Memory leak, triggerable from an unprivileged user.

diffstat:

 sys/compat/netbsd32/netbsd32_socket.c |  28 +++++++++++++++++++---------
 1 files changed, 19 insertions(+), 9 deletions(-)

diffs (74 lines):

diff -r 9c937c98c6e1 -r 74969da4f145 sys/compat/netbsd32/netbsd32_socket.c
--- a/sys/compat/netbsd32/netbsd32_socket.c     Wed Jul 22 14:18:08 2015 +0000
+++ b/sys/compat/netbsd32/netbsd32_socket.c     Wed Jul 22 14:25:39 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $      */
+/*     $NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $        */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -331,7 +331,7 @@
        } */
        struct msghdr msg;
        struct netbsd32_msghdr msg32;
-       struct iovec aiov[UIO_SMALLIOV], *iov;
+       struct iovec aiov[UIO_SMALLIOV], *iov = aiov;
        struct netbsd32_iovec *iov32;
        size_t iovsz;
        int error;
@@ -346,6 +346,7 @@
                error = copyin32_msg_control(l, &msg);
                if (error)
                        return (error);
+               /* From here on, msg.msg_control is allocated */
        } else {
                msg.msg_control = NULL;
                msg.msg_controllen = 0;
@@ -353,23 +354,32 @@
 
        iovsz = msg.msg_iovlen * sizeof(struct iovec);
        if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) {
-               if ((u_int)msg.msg_iovlen > IOV_MAX)
-                       return (EMSGSIZE);
+               if ((u_int)msg.msg_iovlen > IOV_MAX) {
+                       error = EMSGSIZE;
+                       goto out;
+               }
                iov = kmem_alloc(iovsz, KM_SLEEP);
-       } else
-               iov = aiov;
+       }
 
        iov32 = NETBSD32PTR64(msg32.msg_iov);
        error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen);
        if (error)
-               goto done;
+               goto out;
        msg.msg_iov = iov;
 
        error = do_sys_sendmsg(l, SCARG(uap, s), &msg, SCARG(uap, flags), retval);
-done:
+       /* msg.msg_control freed by do_sys_sendmsg() */
+
        if (iov != aiov)
                kmem_free(iov, iovsz);
        return (error);
+
+out:
+       if (iov != aiov)
+               kmem_free(iov, iovsz);
+       if (msg.msg_control)
+               m_free(msg.msg_control);
+       return error;
 }
 
 int