diff options
author | andre <andre@FreeBSD.org> | 2007-04-23 19:41:47 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2007-04-23 19:41:47 +0000 |
commit | 27e460915a980500387dd071a93153647aa36605 (patch) | |
tree | 0428edcf55139fe834510ac62508095db15564e9 | |
parent | d5a4cf1cbe02539c3073cba6f89a65720280d265 (diff) | |
download | FreeBSD-src-27e460915a980500387dd071a93153647aa36605.zip FreeBSD-src-27e460915a980500387dd071a93153647aa36605.tar.gz |
o Fix INP lock leak in the minttl case
o Remove indirection in the decision of unlocking inp
o Further annotation of locking in tcp_input()
-rw-r--r-- | sys/netinet/tcp_input.c | 11 | ||||
-rw-r--r-- | sys/netinet/tcp_reass.c | 11 |
2 files changed, 12 insertions, 10 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 3cbc817..ffb068b 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -751,9 +751,9 @@ findpcb: if (inp->inp_vflag & INP_TIMEWAIT) { if (thflags & TH_SYN) tcp_dooptions(&to, optp, optlen, TO_SYN); + /* NB: tcp_timewait unlocks the INP and frees the mbuf. */ if (tcp_timewait(inp, &to, th, m, tlen)) goto findpcb; - /* tcp_timewait unlocks inp. */ INP_INFO_WUNLOCK(&tcbinfo); return; } @@ -764,7 +764,6 @@ findpcb: */ tp = intotcpcb(inp); if (tp == NULL) { - INP_UNLOCK(inp); rstreason = BANDLIM_RST_CLOSEDPORT; goto dropwithreset; } @@ -833,6 +832,10 @@ findpcb: * timestamp. */ tcp_dooptions(&to, optp, optlen, 0); + /* + * NB: syncache_expand() doesn't unlock + * inp and tcpinfo locks. + */ if (!syncache_expand(&inc, &to, th, &so, m)) { /* * No syncache entry or ACK was not @@ -925,8 +928,6 @@ findpcb: if ((ia6 = ip6_getdstifaddr(m)) && (ia6->ia6_flags & IN6_IFF_DEPRECATED)) { - INP_UNLOCK(inp); - tp = NULL; rstreason = BANDLIM_RST_OPENPORT; goto dropwithreset; } @@ -998,7 +999,7 @@ dropwithreset: m = NULL; /* mbuf chain got consumed. */ dropunlock: INP_INFO_WLOCK_ASSERT(&tcbinfo); - if (tp != NULL) + if (inp != NULL) INP_UNLOCK(inp); INP_INFO_WUNLOCK(&tcbinfo); drop: diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 3cbc817..ffb068b 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -751,9 +751,9 @@ findpcb: if (inp->inp_vflag & INP_TIMEWAIT) { if (thflags & TH_SYN) tcp_dooptions(&to, optp, optlen, TO_SYN); + /* NB: tcp_timewait unlocks the INP and frees the mbuf. */ if (tcp_timewait(inp, &to, th, m, tlen)) goto findpcb; - /* tcp_timewait unlocks inp. */ INP_INFO_WUNLOCK(&tcbinfo); return; } @@ -764,7 +764,6 @@ findpcb: */ tp = intotcpcb(inp); if (tp == NULL) { - INP_UNLOCK(inp); rstreason = BANDLIM_RST_CLOSEDPORT; goto dropwithreset; } @@ -833,6 +832,10 @@ findpcb: * timestamp. */ tcp_dooptions(&to, optp, optlen, 0); + /* + * NB: syncache_expand() doesn't unlock + * inp and tcpinfo locks. + */ if (!syncache_expand(&inc, &to, th, &so, m)) { /* * No syncache entry or ACK was not @@ -925,8 +928,6 @@ findpcb: if ((ia6 = ip6_getdstifaddr(m)) && (ia6->ia6_flags & IN6_IFF_DEPRECATED)) { - INP_UNLOCK(inp); - tp = NULL; rstreason = BANDLIM_RST_OPENPORT; goto dropwithreset; } @@ -998,7 +999,7 @@ dropwithreset: m = NULL; /* mbuf chain got consumed. */ dropunlock: INP_INFO_WLOCK_ASSERT(&tcbinfo); - if (tp != NULL) + if (inp != NULL) INP_UNLOCK(inp); INP_INFO_WUNLOCK(&tcbinfo); drop: |