From 3b6ce85def33ecb4ad25a28b38f8cce3c529e33f Mon Sep 17 00:00:00 2001
From: cem <cem@FreeBSD.org>
Date: Tue, 7 Jun 2016 19:49:08 +0000
Subject: iflib: Fix potential leak in iflib_if_transmit

Due to an accidental mismatch between allocation and release in the slow path
of iflib_if_transmit, if a caller passed 9-16 mbufs to the routine, the mbuf
array would be leaked.

Fix the mismatch by removing the magic numbers in favor of nitems() on the
stack array.  According to mmacy, this leak is unlikely.

Reported by:	Coverity
Discussed with:	mmacy
CID:		1356040
Sponsored by:	EMC / Isilon Storage Division
---
 sys/net/iflib.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/iflib.c b/sys/net/iflib.c
index be5b85b..b7dd3ac 100644
--- a/sys/net/iflib.c
+++ b/sys/net/iflib.c
@@ -3085,7 +3085,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m)
 		next = next->m_nextpkt;
 	} while (next != NULL);
 
-	if (count > 8)
+	if (count > nitems(marr))
 		if ((mp = malloc(count*sizeof(struct mbuf *), M_IFLIB, M_NOWAIT)) == NULL) {
 			/* XXX check nextpkt */
 			m_freem(m);
@@ -3112,7 +3112,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m)
 			m_freem(mp[i]);
 		ifmp_ring_check_drainage(txq->ift_br[0], TX_BATCH_SIZE);
 	}
-	if (count > 16)
+	if (count > nitems(marr))
 		free(mp, M_IFLIB);
 
 	return (err);
-- 
cgit v1.1