Loganaden Velvindron
2013-10-03 20:18:04 UTC
Hi All,
sockopt_get() is called once in ip6_output.c without checking the returned
value.
Excerpt:
optbuflen = sopt->sopt_size;
optbuf = malloc(optbuflen, M_IP6OPT, M_NOWAIT);
if (optbuf == NULL) {
error = ENOBUFS;
break;
}
sockopt_get(sopt, optbuf, optbuflen);
optp = &in6p->in6p_outputopts;
error = ip6_pcbopt(optname, optbuf, optbuflen,
optp, kauth_cred_get(), uproto);
shouldn't the return value be checked in case of errors and optbuf free'd
before breaking/returning ?
Index: src/sys/netinet6/ip6_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.154
diff -u -p -r1.154 ip6_output.c
--- src/sys/netinet6/ip6_output.c 29 Jun 2013 21:06:58 -0000 1.154
+++ src/sys/netinet6/ip6_output.c 3 Oct 2013 20:13:07 -0000
@@ -1505,7 +1505,7 @@ else \
case IPV6_TCLASS:
case IPV6_DONTFRAG:
- case IPV6_USE_MIN_MTU:
+ case IPV6_USE_MIN_MTU:
error = sockopt_getint(sopt, &optval);
if (error)
break;
@@ -1594,7 +1594,10 @@ else \
break;
}
- sockopt_get(sopt, optbuf, optbuflen);
+ if (sockopt_get(sopt, optbuf, optbuflen)) {
+ free(optbuf, M_IP6OPT);
+ break;
+ }
optp = &in6p->in6p_outputopts;
error = ip6_pcbopt(optname, optbuf, optbuflen,
optp, kauth_cred_get(), uproto);
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
sockopt_get() is called once in ip6_output.c without checking the returned
value.
Excerpt:
optbuflen = sopt->sopt_size;
optbuf = malloc(optbuflen, M_IP6OPT, M_NOWAIT);
if (optbuf == NULL) {
error = ENOBUFS;
break;
}
sockopt_get(sopt, optbuf, optbuflen);
optp = &in6p->in6p_outputopts;
error = ip6_pcbopt(optname, optbuf, optbuflen,
optp, kauth_cred_get(), uproto);
shouldn't the return value be checked in case of errors and optbuf free'd
before breaking/returning ?
Index: src/sys/netinet6/ip6_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.154
diff -u -p -r1.154 ip6_output.c
--- src/sys/netinet6/ip6_output.c 29 Jun 2013 21:06:58 -0000 1.154
+++ src/sys/netinet6/ip6_output.c 3 Oct 2013 20:13:07 -0000
@@ -1505,7 +1505,7 @@ else \
case IPV6_TCLASS:
case IPV6_DONTFRAG:
- case IPV6_USE_MIN_MTU:
+ case IPV6_USE_MIN_MTU:
error = sockopt_getint(sopt, &optval);
if (error)
break;
@@ -1594,7 +1594,10 @@ else \
break;
}
- sockopt_get(sopt, optbuf, optbuflen);
+ if (sockopt_get(sopt, optbuf, optbuflen)) {
+ free(optbuf, M_IP6OPT);
+ break;
+ }
optp = &in6p->in6p_outputopts;
error = ip6_pcbopt(optname, optbuf, optbuflen,
optp, kauth_cred_get(), uproto);
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de