diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-04-04 12:26:07 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-04-04 12:26:07 +0000 |
commit | 2e3d21db7b554ea3c353bf7f436a3adcc1d0a40a (patch) | |
tree | 3ae678c38dc3a2f611a58b8c87c8c1104c4a32b7 /sys/netinet/tcp_timewait.c | |
parent | c728727d1bde760303ed2b7f1503985cf5d06ede (diff) | |
download | FreeBSD-src-2e3d21db7b554ea3c353bf7f436a3adcc1d0a40a.zip FreeBSD-src-2e3d21db7b554ea3c353bf7f436a3adcc1d0a40a.tar.gz |
Before dereferencing intotw() when INP_TIMEWAIT, check for inp_ppcb being
NULL. We currently do allow this to happen, but may want to remove that
possibility in the future. This case can occur when a socket is left
open after TCP wraps up, and the timewait state is recycled. This will
be cleaned up in the future.
Found by: Kazuaki Oda <kaakun at highway dot ne dot jp>
MFC after: 3 months
Diffstat (limited to 'sys/netinet/tcp_timewait.c')
-rw-r--r-- | sys/netinet/tcp_timewait.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 66e438d..465b958 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -946,10 +946,13 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) * TCP state changes, is not quite right, but for * now, better than nothing. */ - if (inp->inp_vflag & INP_TIMEWAIT) - error = cr_cansee(req->td->td_ucred, - intotw(inp)->tw_cred); - else + if (inp->inp_vflag & INP_TIMEWAIT) { + if (intotw(inp) != NULL) + error = cr_cansee(req->td->td_ucred, + intotw(inp)->tw_cred); + else + error = EINVAL; /* Skip this inp. */ + } else error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); if (error == 0) @@ -2323,8 +2326,15 @@ sysctl_drop(SYSCTL_HANDLER_ARGS) if (inp != NULL) { INP_LOCK(inp); if (inp->inp_vflag & INP_TIMEWAIT) { + /* + * XXXRW: There currently exists a state where an + * inpcb is present, but its timewait state has been + * discarded. For now, don't allow dropping of this + * type of inpcb. + */ tw = intotw(inp); - tcp_twclose(tw, 0); + if (tw != NULL) + tcp_twclose(tw, 0); } else if (!(inp->inp_vflag & INP_DROPPED) && !(inp->inp_socket->so_options & SO_ACCEPTCONN)) { tp = intotcpcb(inp); |