Bug #5874: Very low memory may cause a TCP double-free - illumos gate - illumos

Bug #5874

Very low memory may cause a TCP double-free

Added by Dan McDonald over 5 years ago.

Status:

New

Priority:

Low

Assignee:

Category:

networking

Start date:

2015-04-27

Due date:

% Done:

Estimated time:

Difficulty:

Bite-size

Tags:

needs-triage

Gerrit CR:

Description

Consider this code snippet from tcp_input_listener():


1515         /*
1516          * Now that the IP addresses and ports are setup in econnp we
1517          * can do the IPsec policy work.
1518          */
1519         if (ira->ira_flags & IRAF_IPSEC_SECURE) {
1520                 if (lconnp->conn_policy != NULL) {
1521                         /*
1522                          * Inherit the policy from the listener; use
1523                          * actions from ira
1524                          */
1525                         if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
1526                                 CONN_DEC_REF(econnp);
1527                                 freemsg(mp);
1528                                 goto error3;
1529                         }
1530                 }
1531         }

Now look at the error3: label:


1818 error3:
1819         CONN_DEC_REF(econnp);
1820 error2:
1821         freemsg(mp);
1822         if (tlc_set)
1823                 atomic_dec_32(&listener->tcp_listen_cnt->tlc_cnt);
1824 }

We need to lose the freemsg() in line 1527.

NOTE: Testing this will be annoying, because ip_ipsec_policy_inherit() only fails if the IPsec action kmem cache is depleted.

No data to display

Also available in: Atom PDF

Project

General

Profile

illumos gate

Custom queries

Bug #5874

Very low memory may cause a TCP double-free