summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorhsu <hsu@FreeBSD.org>2002-12-24 21:00:31 +0000
committerhsu <hsu@FreeBSD.org>2002-12-24 21:00:31 +0000
commit449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9 (patch)
tree66f5a3c92b8353f9df0e551a9cfdf2bb7d046259
parentd52d1ebbebd2c94b5d0979363463f75358f763e1 (diff)
downloadFreeBSD-src-449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9.zip
FreeBSD-src-449c7cf2ec0ef490d47057b98cac0fbdfe2f71d9.tar.gz
Validate inp to prevent an use after free.
-rw-r--r--sys/netinet/tcp_subr.c3
-rw-r--r--sys/netinet/tcp_timer.c25
-rw-r--r--sys/netinet/tcp_timewait.c3
3 files changed, 29 insertions, 2 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 845df42..46e32d9 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -771,6 +771,7 @@ tcp_close(tp)
FREE(q, M_TSEGQ);
}
inp->inp_ppcb = NULL;
+ tp->t_inpcb = NULL;
soisdisconnected(so);
#ifdef INET6
if (INP_CHECK_SOCKAF(so, AF_INET6))
@@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno)
/*
* Look-up the routing entry to the peer of this inpcb. If no route
- * is found and it cannot be allocated the return NULL. This routine
+ * is found and it cannot be allocated, then return NULL. This routine
* is called by TCP routines that access the rmx structure and by tcp_mss
* to get the interface MTU.
*/
diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c
index bbfb9d6..0c626b1 100644
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -178,6 +178,11 @@ tcp_timer_delack(xtp)
s = splnet();
INP_INFO_RLOCK(&tcbinfo);
inp = tp->t_inpcb;
+ if (!inp) {
+ INP_INFO_RUNLOCK(&tcbinfo);
+ splx(s);
+ return;
+ }
INP_LOCK(inp);
INP_INFO_RUNLOCK(&tcbinfo);
if (callout_pending(tp->tt_delack) || !callout_active(tp->tt_delack)) {
@@ -209,6 +214,11 @@ tcp_timer_2msl(xtp)
s = splnet();
INP_INFO_WLOCK(&tcbinfo);
inp = tp->t_inpcb;
+ if (!inp) {
+ INP_INFO_WUNLOCK(&tcbinfo);
+ splx(s);
+ return;
+ }
INP_LOCK(inp);
if (callout_pending(tp->tt_2msl) || !callout_active(tp->tt_2msl)) {
INP_UNLOCK(tp->t_inpcb);
@@ -257,6 +267,11 @@ tcp_timer_keep(xtp)
s = splnet();
INP_INFO_WLOCK(&tcbinfo);
inp = tp->t_inpcb;
+ if (!inp) {
+ INP_INFO_WUNLOCK(&tcbinfo);
+ splx(s);
+ return;
+ }
INP_LOCK(inp);
if (callout_pending(tp->tt_keep) || !callout_active(tp->tt_keep)) {
INP_UNLOCK(inp);
@@ -341,6 +356,11 @@ tcp_timer_persist(xtp)
s = splnet();
INP_INFO_WLOCK(&tcbinfo);
inp = tp->t_inpcb;
+ if (!inp) {
+ INP_INFO_WUNLOCK(&tcbinfo);
+ splx(s);
+ return;
+ }
INP_LOCK(inp);
if (callout_pending(tp->tt_persist) || !callout_active(tp->tt_persist)){
INP_UNLOCK(inp);
@@ -403,6 +423,11 @@ tcp_timer_rexmt(xtp)
INP_INFO_WLOCK(&tcbinfo);
headlocked = 1;
inp = tp->t_inpcb;
+ if (!inp) {
+ INP_INFO_WUNLOCK(&tcbinfo);
+ splx(s);
+ return;
+ }
INP_LOCK(inp);
if (callout_pending(tp->tt_rexmt) || !callout_active(tp->tt_rexmt)) {
INP_UNLOCK(inp);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 845df42..46e32d9 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -771,6 +771,7 @@ tcp_close(tp)
FREE(q, M_TSEGQ);
}
inp->inp_ppcb = NULL;
+ tp->t_inpcb = NULL;
soisdisconnected(so);
#ifdef INET6
if (INP_CHECK_SOCKAF(so, AF_INET6))
@@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno)
/*
* Look-up the routing entry to the peer of this inpcb. If no route
- * is found and it cannot be allocated the return NULL. This routine
+ * is found and it cannot be allocated, then return NULL. This routine
* is called by TCP routines that access the rmx structure and by tcp_mss
* to get the interface MTU.
*/
OpenPOWER on IntegriCloud