Diffusion FreeBSD src repository e1751ef89611

udp: Fix a inpcb refcount leak in the tunnel receive path
e1751ef89611
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

udp: Fix a inpcb refcount leak in the tunnel receive path

When the socket has a tunneling function attached, udp_append() drops
the inpcb lock before calling it. To keep the inpcb alive, we bump the
refcount. After commit 742e7210d00b we only dropped the reference if
the tunnel consumed the packet, but it needs to be dropped in either
case. if_ovpn is the only driver that can trigger this bug.

Fixes: 742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51505

Details

Provenance

Authored on Jul 25 2025, 1:10 PM

Reviewer

Differential Revision

D51505: udp: Fix a refcount leak in the tunnel receive path

Parents

rGc6da58bc17fa: UPDATING: note the new gssd package

Branches

Unknown

Tags

Unknown

Event Timeline

markj committed rGe1751ef89611: udp: Fix a inpcb refcount leak in the tunnel receive path (authored by markj).Jul 25 2025, 5:39 PM

markj added an edge: D51505: udp: Fix a refcount leak in the tunnel receive path.

markj mentioned this in rG4d84cefbba2c: udp: Fix a inpcb refcount leak in the tunnel receive path.Aug 12 2025, 12:56 PM

glebius mentioned this in D52170: udp: don't leak mbuf if tunnel didn't consume and inpcb is gone.Aug 26 2025, 5:09 PM

glebius mentioned this in rGc8a5df48de6f: udp: don't leak mbuf if tunnel didn't consume and inpcb is gone.Sep 1 2025, 4:34 PM

Changes (2)

Path

Size

sys/

netinet/

netinet6/

rGe1751ef89611

sys/netinet/udp_usrreq.c

Loading...

sys/netinet6/udp6_usrreq.c

Loading...