diff options
author | hsu <hsu@FreeBSD.org> | 2002-12-24 21:00:31 +0000 |
---|---|---|
committer | hsu <hsu@FreeBSD.org> | 2002-12-24 21:00:31 +0000 |
commit | 449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9 (patch) | |
tree | 66f5a3c92b8353f9df0e551a9cfdf2bb7d046259 | |
parent | d52d1ebbebd2c94b5d0979363463f75358f763e1 (diff) | |
download | FreeBSD-src-449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9.zip FreeBSD-src-449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9.tar.gz |
Validate inp to prevent an use after free.
-rw-r--r-- | sys/netinet/tcp_subr.c | 3 | ||||
-rw-r--r-- | sys/netinet/tcp_timer.c | 25 | ||||
-rw-r--r-- | sys/netinet/tcp_timewait.c | 3 |
3 files changed, 29 insertions, 2 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 845df42..46e32d9 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -771,6 +771,7 @@ tcp_close(tp) FREE(q, M_TSEGQ); } inp->inp_ppcb = NULL; + tp->t_inpcb = NULL; soisdisconnected(so); #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) @@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno) /* * Look-up the routing entry to the peer of this inpcb. If no route - * is found and it cannot be allocated the return NULL. This routine + * is found and it cannot be allocated, then return NULL. This routine * is called by TCP routines that access the rmx structure and by tcp_mss * to get the interface MTU. */ diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c index bbfb9d6..0c626b1 100644 --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -178,6 +178,11 @@ tcp_timer_delack(xtp) s = splnet(); INP_INFO_RLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_RUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); INP_INFO_RUNLOCK(&tcbinfo); if (callout_pending(tp->tt_delack) || !callout_active(tp->tt_delack)) { @@ -209,6 +214,11 @@ tcp_timer_2msl(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_2msl) || !callout_active(tp->tt_2msl)) { INP_UNLOCK(tp->t_inpcb); @@ -257,6 +267,11 @@ tcp_timer_keep(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_keep) || !callout_active(tp->tt_keep)) { INP_UNLOCK(inp); @@ -341,6 +356,11 @@ tcp_timer_persist(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_persist) || !callout_active(tp->tt_persist)){ INP_UNLOCK(inp); @@ -403,6 +423,11 @@ tcp_timer_rexmt(xtp) INP_INFO_WLOCK(&tcbinfo); headlocked = 1; inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_rexmt) || !callout_active(tp->tt_rexmt)) { INP_UNLOCK(inp); diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 845df42..46e32d9 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -771,6 +771,7 @@ tcp_close(tp) FREE(q, M_TSEGQ); } inp->inp_ppcb = NULL; + tp->t_inpcb = NULL; soisdisconnected(so); #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) @@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno) /* * Look-up the routing entry to the peer of this inpcb. If no route - * is found and it cannot be allocated the return NULL. This routine + * is found and it cannot be allocated, then return NULL. This routine * is called by TCP routines that access the rmx structure and by tcp_mss * to get the interface MTU. */ |