From a973c5922de7ada4ff4d4b459d4f5b28d2aeb9e0 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 18 Feb 2021 11:59:58 +0100
Subject: ip6_output: fix memory leak on fast-send

When emitting NDP Neighbour Sollicitations, ip6_output immediately calls
if_encap without going through any queue. if_encap however does not free
the mbuf, so ip6_output has to do it.

This was leaking one mbuf per NDP NS sent by slirp. Hopefully the guest was
not using more than NDP_TABLE_SIZE (16) IPv6 addresses, in which case it was
limited to a bound number, but more addresses would result to leaks.
---
 src/ip6_output.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/ip6_output.c b/src/ip6_output.c
index b861106..2f62cc9 100644
--- a/src/ip6_output.c
+++ b/src/ip6_output.c
@@ -30,7 +30,10 @@ int ip6_output(struct socket *so, struct mbuf *m, int fast)
     ip->ip_fl_lo = 0;
 
     if (fast) {
+        /* We cannot fast-send non-multicast, we'd need a NDP NS */
+        assert(IN6_IS_ADDR_MULTICAST(&ip->ip_dst));
         if_encap(m->slirp, m);
+        m_free(m);
     } else {
         if_output(so, m);
     }
-- 
cgit v1.1