Fix a race condition on tcp listen socket teardown with pending

connections in the accept queue and contiguous new incoming SYNs. Compared to the original submitters patch I've moved the test next to the SYN handling to have it together in a logical unit and reworded the comment explaining the issue. Submitted by: Matt Miller <matt@matthewjmiller.net> Submitted by: Juan Mojica <jmojica@gmail.com> Reviewed by: Matt Miller (changes) Tested by: pho MFC after: 1 week
author: andre <andre@FreeBSD.org> 2013-04-09 20:52:26 +0000
committer: andre <andre@FreeBSD.org> 2013-04-09 20:52:26 +0000
commit: f70f4c314a94a4324c5dc34b2660fd66a18f35b4 (patch)
tree: 6552617dfaef1dd68579f1b498343fe3149629b8 /sys/netinet/tcp_input.c
parent: 777e0f8e3a7b81aeb916225eef3041c0d7019ca9 (diff)
download: FreeBSD-src-f70f4c314a94a4324c5dc34b2660fd66a18f35b4.zip
FreeBSD-src-f70f4c314a94a4324c5dc34b2660fd66a18f35b4.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 09911f5..a7b6ced 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1405,6 +1405,15 @@ relocked:
 		 */
 		INP_INFO_UNLOCK_ASSERT(&V_tcbinfo);
 		return;
+	} else if (tp->t_state == TCPS_LISTEN) {
+		/*
+		 * When a listen socket is torn down the SO_ACCEPTCONN
+		 * flag is removed first while connections are drained
+		 * from the accept queue in a unlock/lock cycle of the
+		 * ACCEPT_LOCK, opening a race condition allowing a SYN
+		 * attempt go through unhandled.
+		 */
+		goto dropunlock;
 	}
 
 #ifdef TCP_SIGNATURE
author	andre <andre@FreeBSD.org>	2013-04-09 20:52:26 +0000
committer	andre <andre@FreeBSD.org>	2013-04-09 20:52:26 +0000
commit	f70f4c314a94a4324c5dc34b2660fd66a18f35b4 (patch)
tree	6552617dfaef1dd68579f1b498343fe3149629b8 /sys/netinet/tcp_input.c
parent	777e0f8e3a7b81aeb916225eef3041c0d7019ca9 (diff)
download	FreeBSD-src-f70f4c314a94a4324c5dc34b2660fd66a18f35b4.zip FreeBSD-src-f70f4c314a94a4324c5dc34b2660fd66a18f35b4.tar.gz