Bug 163089
| Summary: | Duplicate free in the error return for mld_v2_encap_report in mld6.c | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Herbie.Robinson |
| Component: | kern | Assignee: | Gleb Smirnoff <glebius> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
Author: glebius Date: Wed Dec 7 13:37:42 2011 New Revision: 228321 URL: http://svn.freebsd.org/changeset/base/228321 Log: Fix double free. PR: kern/163089 Submitted by: Herbie Robinson <Herbie.Robinson stratus.com> Modified: head/sys/netinet6/mld6.c Modified: head/sys/netinet6/mld6.c ============================================================================== --- head/sys/netinet6/mld6.c Wed Dec 7 12:48:11 2011 (r228320) +++ head/sys/netinet6/mld6.c Wed Dec 7 13:37:42 2011 (r228321) @@ -3090,7 +3090,6 @@ mld_dispatch_packet(struct mbuf *m) m0 = mld_v2_encap_report(ifp, m); if (m0 == NULL) { CTR2(KTR_MLD, "%s: dropped %p", __func__, m); - m_freem(m); IP6STAT_INC(ip6s_odropped); goto out; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" State Changed From-To: open->patched Committed to head, thanks! Responsible Changed From-To: freebsd-bugs->glebius Committed to head, thanks! State Changed From-To: patched->closed Merged to stable/9. Awfully sorry, but I was out of time and didn't merged it to stable/8 prior to 8.3-RELEASE. Author: glebius Date: Wed Mar 21 07:29:47 2012 New Revision: 233266 URL: http://svn.freebsd.org/changeset/base/233266 Log: Merge 228321 from head: Fix double free. PR: kern/163089 Submitted by: Herbie Robinson <Herbie.Robinson stratus.com> Modified: stable/9/sys/netinet6/mld6.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/amd64/include/xen/ (props changed) stable/9/sys/boot/ (props changed) stable/9/sys/boot/i386/efi/ (props changed) stable/9/sys/boot/ia64/efi/ (props changed) stable/9/sys/boot/ia64/ski/ (props changed) stable/9/sys/boot/powerpc/boot1.chrp/ (props changed) stable/9/sys/boot/powerpc/ofw/ (props changed) stable/9/sys/cddl/contrib/opensolaris/ (props changed) stable/9/sys/conf/ (props changed) stable/9/sys/contrib/dev/acpica/ (props changed) stable/9/sys/contrib/octeon-sdk/ (props changed) stable/9/sys/contrib/pf/ (props changed) stable/9/sys/contrib/x86emu/ (props changed) stable/9/sys/fs/ (props changed) stable/9/sys/fs/ntfs/ (props changed) stable/9/sys/i386/conf/XENHVM (props changed) Modified: stable/9/sys/netinet6/mld6.c ============================================================================== --- stable/9/sys/netinet6/mld6.c Wed Mar 21 07:22:27 2012 (r233265) +++ stable/9/sys/netinet6/mld6.c Wed Mar 21 07:29:47 2012 (r233266) @@ -3096,7 +3096,6 @@ mld_dispatch_packet(struct mbuf *m) m0 = mld_v2_encap_report(ifp, m); if (m0 == NULL) { CTR2(KTR_MLD, "%s: dropped %p", __func__, m); - m_freem(m); IP6STAT_INC(ip6s_odropped); goto out; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" |
All of this is in src/sys/netinet6/mld6.c The call code is: m0 = mld_v2_encap_report(ifp, m); if (m0 == NULL) { CTR2(KTR_MLD, "%s: dropped %p", __func__, m); m_freem(m); The function mld_v2_encap_report consumes the mbuf in all cases (normal and error return); so, this is duplicate. I haven't been working with the code long enough to know whether the coding philosophy would be to delete the free from the caller or the subroutine. I would be inclined to remove the duplicate free from the caller... I left the priority as low because memory allocation failures are rare these days...