From 16fb86ab35dd2dcb3aa1011f7458798c423d10c9 Mon Sep 17 00:00:00 2001 From: Conrad Meyer Date: Tue, 7 Jun 2016 19:49:08 +0000 Subject: [PATCH] iflib: Fix potential leak in iflib_if_transmit Due to an accidental mismatch between allocation and release in the slow path of iflib_if_transmit, if a caller passed 9-16 mbufs to the routine, the mbuf array would be leaked. Fix the mismatch by removing the magic numbers in favor of nitems() on the stack array. According to mmacy, this leak is unlikely. Reported by: Coverity Discussed with: mmacy CID: 1356040 Sponsored by: EMC / Isilon Storage Division --- sys/net/iflib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/iflib.c b/sys/net/iflib.c index be5b85b9138d..b7dd3ac99cc8 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -3085,7 +3085,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m) next = next->m_nextpkt; } while (next != NULL); - if (count > 8) + if (count > nitems(marr)) if ((mp = malloc(count*sizeof(struct mbuf *), M_IFLIB, M_NOWAIT)) == NULL) { /* XXX check nextpkt */ m_freem(m); @@ -3112,7 +3112,7 @@ iflib_if_transmit(if_t ifp, struct mbuf *m) m_freem(mp[i]); ifmp_ring_check_drainage(txq->ift_br[0], TX_BATCH_SIZE); } - if (count > 16) + if (count > nitems(marr)) free(mp, M_IFLIB); return (err);