Google Git
Sign in
android / platform / external / usrsctp / c38740ec838e701f994b5885a1e7318b93de4843^! / .
commitc38740ec838e701f994b5885a1e7318b93de4843[log] [tgz]
authorMichael Tuexen <tuexen@fh-muenster.de>Sun Oct 06 10:52:55 2019 +0200
committerMichael Tuexen <tuexen@fh-muenster.de>Sun Oct 06 10:52:55 2019 +0200
treecd3c45379ee53cd23e99907e3aeffa55457a0572
parent51e7c01312729a9642a0b5c1125b729e4b78234f [diff]
Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794

diff --git a/usrsctplib/netinet/sctp_indata.c b/usrsctplib/netinet/sctp_indata.c
index 06340d2..8b33235 100755
--- a/usrsctplib/netinet/sctp_indata.c
+++ b/usrsctplib/netinet/sctp_indata.c

@@ -34,7 +34,7 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_indata.c 352652 2019-09-24 13:15:24Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_indata.c 353145 2019-10-06 08:47:10Z tuexen $");
 #endif
 
 #include <netinet/sctp_os.h>
@@ -731,6 +731,7 @@
 	}
 	if (control->tail_mbuf == NULL) {
 		/* TSNH */
+		sctp_m_freem(control->data);
 		control->data = m;
 		sctp_setup_tail_pointer(control);
 		return;
@@ -2103,10 +2104,13 @@
 			struct mbuf *mm;
 
 			control->data = dmbuf;
+			control->tail_mbuf = NULL;
 			for (mm = control->data; mm; mm = mm->m_next) {
 				control->length += SCTP_BUF_LEN(mm);
+				if (SCTP_BUF_NEXT(mm) == NULL) {
+					control->tail_mbuf = mm;
+				}
 			}
-			control->tail_mbuf = NULL;
 			control->end_added = 1;
 			control->last_frag_seen = 1;
 			control->first_frag_seen = 1;