tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(), but the rate limiter suppresses the sending, free the mbuf chain. The caller of tcp_send_challenge_ack() expects this similar to the callers of tcp_respond(). Approved by: so Security: FreeBSD-SA-26:06.tcp Security: CVE-2026-4247 Reviewed by: lstewart Tested by: lstewart Sponsored by: Netflix, Inc.
This commit is contained in:
committed by
Gordon Tetlow
parent
cb692380f1
commit
6b2d6ccad2
@@ -2216,6 +2216,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
|
||||
tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
|
||||
tp->snd_nxt, TH_ACK);
|
||||
tp->last_ack_sent = tp->rcv_nxt;
|
||||
} else {
|
||||
m_freem(m);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user