diff options
| author | cem <cem@FreeBSD.org> | 2016-06-07 19:49:08 +0000 |
|---|---|---|
| committer | cem <cem@FreeBSD.org> | 2016-06-07 19:49:08 +0000 |
| commit | 3b6ce85def33ecb4ad25a28b38f8cce3c529e33f (patch) | |
| tree | d9ecefdad118f65f06f5620edf4bede664121750 | |
| parent | 2f8ff58ccd3d2b91f74e0867d95223c47bff8387 (diff) | |
| download | FreeBSD-src-3b6ce85def33ecb4ad25a28b38f8cce3c529e33f.zip FreeBSD-src-3b6ce85def33ecb4ad25a28b38f8cce3c529e33f.tar.gz | |
iflib: Fix potential leak in iflib_if_transmit
Due to an accidental mismatch between allocation and release in the slow path
of iflib_if_transmit, if a caller passed 9-16 mbufs to the routine, the mbuf
array would be leaked.
Fix the mismatch by removing the magic numbers in favor of nitems() on the
stack array. According to mmacy, this leak is unlikely.
Reported by: Coverity
Discussed with: mmacy
CID: 1356040
Sponsored by: EMC / Isilon Storage Division
| -rw-r--r-- | sys/net/iflib.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/iflib.c b/sys/net/iflib.c index be5b85b..b7dd3ac 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -3085,7 +3085,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m) next = next->m_nextpkt; } while (next != NULL); - if (count > 8) + if (count > nitems(marr)) if ((mp = malloc(count*sizeof(struct mbuf *), M_IFLIB, M_NOWAIT)) == NULL) { /* XXX check nextpkt */ m_freem(m); @@ -3112,7 +3112,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m) m_freem(mp[i]); ifmp_ring_check_drainage(txq->ift_br[0], TX_BATCH_SIZE); } - if (count > 16) + if (count > nitems(marr)) free(mp, M_IFLIB); return (err); |
