On Thu, Jan 23, 2025 at 12:00:29PM +0100, Alexander Bluhm wrote:
> Hi,
> 
> All other internet socket attach functions first call soreserve()
> and then in_pcballoc().  This avoids an in_pcbdetach() in the error
> path.  Current divert attach code may leak the inpcb.
> 

Nice catch, ok mvs.

> ok?
> 
> bluhm
> 
> Index: netinet/ip_divert.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_divert.c,v
> diff -u -p -r1.98 ip_divert.c
> --- netinet/ip_divert.c	1 Jan 2025 13:44:22 -0000	1.98
> +++ netinet/ip_divert.c	23 Jan 2025 10:58:46 -0000
> @@ -272,12 +272,11 @@ divert_attach(struct socket *so, int pro
>  	if ((so->so_state & SS_PRIV) == 0)
>  		return EACCES;
>  
> -	error = in_pcballoc(so, &divbtable, wait);
> -	if (error)
> -		return error;
> -
>  	error = soreserve(so, atomic_load_int(&divert_sendspace),
>  	    atomic_load_int(&divert_recvspace));
> +	if (error)
> +		return error;
> +	error = in_pcballoc(so, &divbtable, wait);
>  	if (error)
>  		return error;
>  
> Index: netinet6/ip6_divert.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_divert.c,v
> diff -u -p -r1.97 ip6_divert.c
> --- netinet6/ip6_divert.c	16 Aug 2024 09:20:35 -0000	1.97
> +++ netinet6/ip6_divert.c	23 Jan 2025 10:58:46 -0000
> @@ -280,12 +280,11 @@ divert6_attach(struct socket *so, int pr
>  	if ((so->so_state & SS_PRIV) == 0)
>  		return EACCES;
>  
> -	error = in_pcballoc(so, &divb6table, wait);
> -	if (error)
> -		return (error);
> -
>  	error = soreserve(so, atomic_load_int(&divert6_sendspace),
>  	    atomic_load_int(&divert6_recvspace));
> +	if (error)
> +		return (error);
> +	error = in_pcballoc(so, &divb6table, wait);
>  	if (error)
>  		return (error);
>  
>