tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:	so
Security:	FreeBSD-SA-26:06.tcp
Security:	CVE-2026-4247
Reviewed by:	lstewart
Tested by:	lstewart
Sponsored by:	Netflix, Inc.
This commit is contained in:
Michael Tuexen
2026-03-25 06:53:56 +01:00
committed by Gordon Tetlow
parent cb692380f1
commit 6b2d6ccad2
+2
View File
@@ -2216,6 +2216,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
tp->snd_nxt, TH_ACK);
tp->last_ack_sent = tp->rcv_nxt;
} else {
m_freem(m);
}
}