In igmp.c, in function igmp_input(), the correctness of the incoming igmp packet is checked. If the packet is discarded because of wrong number of sources the mbuf is not freed. /* * Validate length based on source count. */ nsrc = ntohs(igmpv3->igmp_numsrc); if (nsrc * sizeof(in_addr_t) > UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) { IGMPSTAT_INC(igps_rcv_tooshort); return (IPPROTO_DONE); } The mbuf should be freed before the function returns: /* * Validate length based on source count. */ nsrc = ntohs(igmpv3->igmp_numsrc); if (nsrc * sizeof(in_addr_t) > UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) { IGMPSTAT_INC(igps_rcv_tooshort); + m_freem(m); return (IPPROTO_DONE); }
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=501159696cb5204d94d03393e4bc5d82f2e348e6 commit 501159696cb5204d94d03393e4bc5d82f2e348e6 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-01-08 18:32:04 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-01-08 18:32:04 +0000 igmp: Avoid leaking mbuf when source validation fails PR: 252504 Submitted by: Panagiotis Tsolakos <panagiotis.tsolakos@gmail.com> MFC after: 3 days sys/netinet/igmp.c | 1 + 1 file changed, 1 insertion(+)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=44851ff2f65de3bdf3b3fa469a7bb5546e77e170 commit 44851ff2f65de3bdf3b3fa469a7bb5546e77e170 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-01-08 18:32:04 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-01-11 14:41:55 +0000 igmp: Avoid leaking mbuf when source validation fails PR: 252504 Submitted by: Panagiotis Tsolakos <panagiotis.tsolakos@gmail.com> (cherry picked from commit 501159696cb5204d94d03393e4bc5d82f2e348e6) sys/netinet/igmp.c | 1 + 1 file changed, 1 insertion(+)
Thanks for the patch.