From afd6de94ccf3da9e12f9e5eecf7d6799ad38f04d Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Wed, 25 Mar 2026 06:53:56 +0100
Subject: [PATCH] tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:	so
Security:	FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:	lstewart
Tested by:	lstewart
Sponsored by:	Netflix, Inc.
---
 sys/netinet/tcp_subr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index d17b46d1303..16871d7d828 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -2256,6 +2256,8 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
 		tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
 		    tp->snd_nxt, TH_ACK);
 		tp->last_ack_sent = tp->rcv_nxt;
+	} else {
+		m_freem(m);
 	}
 }