If the loop check in somove(9) goes to release without setting an

error, a broadcast mbuf will stay in the socket buffer forever. This is bad as multiple mbufs can use up all the space. Better report ELOOP, dissolve splicing, and let userland handle it. OK anton@
author: bluhm <bluhm@openbsd.org> 2021-01-09 15:30:38 +0000
committer: bluhm <bluhm@openbsd.org> 2021-01-09 15:30:38 +0000
commit: a47f48c5303edcdbff8f74b67093a0288a158202 (patch)
tree: bedf299d585a1faa540a49522f19f39f2907df1c /sys
parent: Syzkaller has found a stack overflow in socket splicing. Broadcast (diff)
download: wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.tar.xz
wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.zip
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index edc2b1495a0..bf9ecaff692 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket.c,v 1.252 2020/12/25 12:59:52 visa Exp $	*/
+/*	$OpenBSD: uipc_socket.c,v 1.253 2021/01/09 15:30:38 bluhm Exp $	*/
 /*	$NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $	*/
 
 /*
@@ -1451,8 +1451,7 @@ somove(struct socket *so, int wait)
 	if ((m->m_flags & M_PKTHDR) &&
 	    ((m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) ||
 	    ((m->m_flags & M_LOOP) && (m->m_flags & (M_BCAST|M_MCAST))))) {
-		if (m->m_pkthdr.ph_loopcnt >= M_MAXLOOP)
-			error = ELOOP;
+		error = ELOOP;
 		goto release;
 	}
author	bluhm <bluhm@openbsd.org>	2021-01-09 15:30:38 +0000
committer	bluhm <bluhm@openbsd.org>	2021-01-09 15:30:38 +0000
commit	a47f48c5303edcdbff8f74b67093a0288a158202 (patch)
tree	bedf299d585a1faa540a49522f19f39f2907df1c /sys
parent	Syzkaller has found a stack overflow in socket splicing. Broadcast (diff)
download	wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.tar.xz wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.zip