From a6ae9b104fd65f11a8e48e69a1e493e4b727605e Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Tue, 19 Jul 2016 21:28:43 +0000
Subject: [PATCH] Plug an mbuf leak in the error path of tcp signature in
 tcp_output(). OK claudio@ henning@

---
 sys/netinet/tcp_output.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index bf67b1bf383..77e2321ec84 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_output.c,v 1.117 2016/06/13 21:24:43 bluhm Exp $	*/
+/*	$OpenBSD: tcp_output.c,v 1.118 2016/07/19 21:28:43 bluhm Exp $	*/
 /*	$NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $	*/
 
 /*
@@ -931,12 +931,16 @@ send:
 
 		tdb = gettdbbysrcdst(rtable_l2(tp->t_inpcb->inp_rtableid),
 		    0, &src, &dst, IPPROTO_TCP);
-		if (tdb == NULL)
+		if (tdb == NULL) {
+			m_freem(m);
 			return (EPERM);
+		}
 
 		if (tcp_signature(tdb, tp->pf, m, th, iphlen, 0,
-		    mtod(m, caddr_t) + hdrlen - optlen + sigoff) < 0)
+		    mtod(m, caddr_t) + hdrlen - optlen + sigoff) < 0) {
+			m_freem(m);
 			return (EINVAL);
+		}
 	}
 #endif /* TCP_SIGNATURE */
 
-- 
2.20.1