Wed Jul 22 14:25:39 2015 UTC ()
Memory leak, triggerable from an unprivileged user.


(maxv)
diff -r1.41 -r1.42 src/sys/compat/netbsd32/netbsd32_socket.c
cvs diff -r1.41 -r1.42 src/sys/compat/netbsd32/netbsd32_socket.c (expand / switch to unified diff)

--- src/sys/compat/netbsd32/netbsd32_socket.c 2012/08/18 15:25:15 1.41
+++ src/sys/compat/netbsd32/netbsd32_socket.c 2015/07/22 14:25:39 1.42
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $ */ 1/* $NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1998, 2001 Matthew R. Green 4 * Copyright (c) 1998, 2001 Matthew R. Green
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -17,27 +17,27 @@ @@ -17,27 +17,27 @@
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE. 26 * SUCH DAMAGE.
27 */ 27 */
28 28
29#include <sys/cdefs.h> 29#include <sys/cdefs.h>
30__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41 2012/08/18 15:25:15 martin Exp $"); 30__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.42 2015/07/22 14:25:39 maxv Exp $");
31 31
32#include <sys/param.h> 32#include <sys/param.h>
33#include <sys/systm.h> 33#include <sys/systm.h>
34#define msg __msg /* Don't ask me! */ 34#define msg __msg /* Don't ask me! */
35#include <sys/mount.h> 35#include <sys/mount.h>
36#include <sys/socket.h> 36#include <sys/socket.h>
37#include <sys/sockio.h> 37#include <sys/sockio.h>
38#include <sys/socketvar.h> 38#include <sys/socketvar.h>
39#include <sys/mbuf.h> 39#include <sys/mbuf.h>
40#include <sys/ktrace.h> 40#include <sys/ktrace.h>
41#include <sys/file.h> 41#include <sys/file.h>
42#include <sys/filedesc.h> 42#include <sys/filedesc.h>
43#include <sys/syscallargs.h> 43#include <sys/syscallargs.h>
@@ -321,65 +321,75 @@ failure: @@ -321,65 +321,75 @@ failure:
321 return error; 321 return error;
322} 322}
323 323
324int 324int
325netbsd32_sendmsg(struct lwp *l, const struct netbsd32_sendmsg_args *uap, register_t *retval) 325netbsd32_sendmsg(struct lwp *l, const struct netbsd32_sendmsg_args *uap, register_t *retval)
326{ 326{
327 /* { 327 /* {
328 syscallarg(int) s; 328 syscallarg(int) s;
329 syscallarg(const netbsd32_msghdrp_t) msg; 329 syscallarg(const netbsd32_msghdrp_t) msg;
330 syscallarg(int) flags; 330 syscallarg(int) flags;
331 } */ 331 } */
332 struct msghdr msg; 332 struct msghdr msg;
333 struct netbsd32_msghdr msg32; 333 struct netbsd32_msghdr msg32;
334 struct iovec aiov[UIO_SMALLIOV], *iov; 334 struct iovec aiov[UIO_SMALLIOV], *iov = aiov;
335 struct netbsd32_iovec *iov32; 335 struct netbsd32_iovec *iov32;
336 size_t iovsz; 336 size_t iovsz;
337 int error; 337 int error;
338 338
339 error = copyin(SCARG_P32(uap, msg), &msg32, sizeof(msg32)); 339 error = copyin(SCARG_P32(uap, msg), &msg32, sizeof(msg32));
340 if (error) 340 if (error)
341 return (error); 341 return (error);
342 netbsd32_to_msghdr(&msg32, &msg); 342 netbsd32_to_msghdr(&msg32, &msg);
343 msg.msg_flags = 0; 343 msg.msg_flags = 0;
344 344
345 if (CMSG32_FIRSTHDR(&msg)) { 345 if (CMSG32_FIRSTHDR(&msg)) {
346 error = copyin32_msg_control(l, &msg); 346 error = copyin32_msg_control(l, &msg);
347 if (error) 347 if (error)
348 return (error); 348 return (error);
 349 /* From here on, msg.msg_control is allocated */
349 } else { 350 } else {
350 msg.msg_control = NULL; 351 msg.msg_control = NULL;
351 msg.msg_controllen = 0; 352 msg.msg_controllen = 0;
352 } 353 }
353 354
354 iovsz = msg.msg_iovlen * sizeof(struct iovec); 355 iovsz = msg.msg_iovlen * sizeof(struct iovec);
355 if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) { 356 if ((u_int)msg.msg_iovlen > UIO_SMALLIOV) {
356 if ((u_int)msg.msg_iovlen > IOV_MAX) 357 if ((u_int)msg.msg_iovlen > IOV_MAX) {
357 return (EMSGSIZE); 358 error = EMSGSIZE;
 359 goto out;
 360 }
358 iov = kmem_alloc(iovsz, KM_SLEEP); 361 iov = kmem_alloc(iovsz, KM_SLEEP);
359 } else 362 }
360 iov = aiov; 
361 363
362 iov32 = NETBSD32PTR64(msg32.msg_iov); 364 iov32 = NETBSD32PTR64(msg32.msg_iov);
363 error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen); 365 error = netbsd32_to_iovecin(iov32, iov, msg.msg_iovlen);
364 if (error) 366 if (error)
365 goto done; 367 goto out;
366 msg.msg_iov = iov; 368 msg.msg_iov = iov;
367 369
368 error = do_sys_sendmsg(l, SCARG(uap, s), &msg, SCARG(uap, flags), retval); 370 error = do_sys_sendmsg(l, SCARG(uap, s), &msg, SCARG(uap, flags), retval);
369done: 371 /* msg.msg_control freed by do_sys_sendmsg() */
 372
370 if (iov != aiov) 373 if (iov != aiov)
371 kmem_free(iov, iovsz); 374 kmem_free(iov, iovsz);
372 return (error); 375 return (error);
 376
 377out:
 378 if (iov != aiov)
 379 kmem_free(iov, iovsz);
 380 if (msg.msg_control)
 381 m_free(msg.msg_control);
 382 return error;
373} 383}
374 384
375int 385int
376netbsd32_recvfrom(struct lwp *l, const struct netbsd32_recvfrom_args *uap, register_t *retval) 386netbsd32_recvfrom(struct lwp *l, const struct netbsd32_recvfrom_args *uap, register_t *retval)
377{ 387{
378 /* { 388 /* {
379 syscallarg(int) s; 389 syscallarg(int) s;
380 syscallarg(netbsd32_voidp) buf; 390 syscallarg(netbsd32_voidp) buf;
381 syscallarg(netbsd32_size_t) len; 391 syscallarg(netbsd32_size_t) len;
382 syscallarg(int) flags; 392 syscallarg(int) flags;
383 syscallarg(netbsd32_sockaddrp_t) from; 393 syscallarg(netbsd32_sockaddrp_t) from;
384 syscallarg(netbsd32_intp) fromlenaddr; 394 syscallarg(netbsd32_intp) fromlenaddr;
385 } */ 395 } */