upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 00:32:25 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

tcp: plug an mbuf leak

Browse source 
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:	so
Security:	FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:	lstewart
Tested by:	lstewart
Sponsored by:	Netflix, Inc.
This commit is contained in:
Michael Tuexen 2026-03-25 06:53:56 +01:00 committed by Franco Fichtner
parent 871a807f48
commit afd6de94cc
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/netinet/tcp_subr.c
View file

@ -2256,6 +2256,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
tp->snd_nxt, TH_ACK);
tp->last_ack_sent = tp->rcv_nxt;
} else {
m_freem(m);
}
}