diff options
| author | ae <ae@FreeBSD.org> | 2015-02-23 13:41:35 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2015-02-23 13:41:35 +0000 |
| commit | 92ce4d2d912b47e5645d1d89408733995316ceca (patch) | |
| tree | 96d91705b695df376717cba3ddaeb455fdfd37d4 | |
| parent | 403694c32d67445760f33838487e7096d211803c (diff) | |
| download | FreeBSD-src-92ce4d2d912b47e5645d1d89408733995316ceca.zip FreeBSD-src-92ce4d2d912b47e5645d1d89408733995316ceca.tar.gz | |
In some cases soreceive_dgram() can return no data, but has control
message. This can happen when application is sending packets too big
for the path MTU and recvmsg() will return zero (indicating no data)
but there will be a cmsghdr with cmsg_type set to IPV6_PATHMTU.
Remove KASSERT() which does NULL pointer dereference in such case.
Also call m_freem() only when m isn't NULL.
PR: 197882
MFC after: 1 week
Sponsored by: Yandex LLC
| -rw-r--r-- | sys/kern/uipc_socket.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index b897e05..8bbf36a 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -2255,7 +2255,8 @@ soreceive_dgram(struct socket *so, struct sockaddr **psa, struct uio *uio, * Process one or more MT_CONTROL mbufs present before any data mbufs * in the first mbuf chain on the socket buffer. We call into the * protocol to perform externalization (or freeing if controlp == - * NULL). + * NULL). In some cases there can be only MT_CONTROL mbufs without + * MT_DATA mbufs. */ if (m->m_type == MT_CONTROL) { struct mbuf *cm = NULL, *cmn; @@ -2285,8 +2286,6 @@ soreceive_dgram(struct socket *so, struct sockaddr **psa, struct uio *uio, cm = cmn; } } - KASSERT(m->m_type == MT_DATA, ("soreceive_dgram: !data")); - while (m != NULL && uio->uio_resid > 0) { len = uio->uio_resid; if (len > m->m_len) @@ -2303,9 +2302,10 @@ soreceive_dgram(struct socket *so, struct sockaddr **psa, struct uio *uio, m->m_len -= len; } } - if (m != NULL) + if (m != NULL) { flags |= MSG_TRUNC; - m_freem(m); + m_freem(m); + } if (flagsp != NULL) *flagsp |= flags; return (0); |
