Before dereferencing intotw() when INP_TIMEWAIT, check for inp_ppcb being

NULL.  We currently do allow this to happen, but may want to remove that
possibility in the future.  This case can occur when a socket is left
open after TCP wraps up, and the timewait state is recycled.  This will
be cleaned up in the future.

Found by:	Kazuaki Oda <kaakun at highway dot ne dot jp>
MFC after:	3 months

5 files changed, 62 insertions, 14 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 212092c..20c56ed 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -322,6 +322,8 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,
 		laddr = sin->sin_addr;
 		if (lport) {
 			struct inpcb *t;
+			struct tcptw *tw;
+
 			/* GROSS */
 			if (ntohs(lport) <= ipport_reservedhigh &&
 			    ntohs(lport) >= ipport_reservedlow &&
@@ -355,10 +357,17 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,
 			t = in_pcblookup_local(pcbinfo, sin->sin_addr,
 			    lport, prison ? 0 : wild);
 			if (t && (t->inp_vflag & INP_TIMEWAIT)) {
-				if ((reuseport & intotw(t)->tw_so_options) == 0)
+				/*
+				 * XXXRW: If an incpb has had its timewait
+				 * state recycled, we treat the address as
+				 * being in use (for now).  This is better
+				 * than a panic, but not desirable.
+				 */
+				tw = intotw(inp);
+				if (tw == NULL ||
+				    (reuseport & tw->tw_so_options) == 0)
 					return (EADDRINUSE);
-			} else
-			if (t &&
+			} else if (t &&
 			    (reuseport & t->inp_socket->so_options) == 0) {
 #if defined(INET6)
 				if (ntohl(sin->sin_addr.s_addr) !=
@@ -950,7 +959,8 @@ in_pcblookup_local(struct inpcbinfo *pcbinfo, struct in_addr laddr,
 				 */
 				if ((inp->inp_vflag & INP_TIMEWAIT) != 0) {
 					tw = intotw(inp);
-					if (tcp_twrecycleable(tw)) {
+					if (tw != NULL &&
+					    tcp_twrecycleable(tw)) {
 						INP_LOCK(inp);
 						tcp_twclose(tw, 0);
 						match = NULL;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 8662ffc..ad94e76 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -3156,6 +3156,15 @@ tcp_timewait(tw, to, th, m, tlen)
 	const int isipv6 = 0;
 #endif
 
+	/*
+	 * XXXRW: Time wait state for inpcb has been recycled, but inpcb is
+	 * still present.  This is undesirable, but temporarily necessary
+	 * until we work out how to handle inpcb's who's timewait state has
+	 * been removed.
+	 */
+	if (tw == NULL)
+		goto drop;
+
 	/* tcbinfo lock required for tcp_twclose(), tcp_2msl_reset. */
 	INP_INFO_WLOCK_ASSERT(&tcbinfo);
 	INP_LOCK_ASSERT(tw->tw_inpcb);
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 8662ffc..ad94e76 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -3156,6 +3156,15 @@ tcp_timewait(tw, to, th, m, tlen)
 	const int isipv6 = 0;
 #endif
 
+	/*
+	 * XXXRW: Time wait state for inpcb has been recycled, but inpcb is
+	 * still present.  This is undesirable, but temporarily necessary
+	 * until we work out how to handle inpcb's who's timewait state has
+	 * been removed.
+	 */
+	if (tw == NULL)
+		goto drop;
+
 	/* tcbinfo lock required for tcp_twclose(), tcp_2msl_reset. */
 	INP_INFO_WLOCK_ASSERT(&tcbinfo);
 	INP_LOCK_ASSERT(tw->tw_inpcb);
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 66e438d..465b958 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -946,10 +946,13 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 			 * TCP state changes, is not quite right, but for
 			 * now, better than nothing.
 			 */
-			if (inp->inp_vflag & INP_TIMEWAIT)
-				error = cr_cansee(req->td->td_ucred,
-				    intotw(inp)->tw_cred);
-			else
+			if (inp->inp_vflag & INP_TIMEWAIT) {
+				if (intotw(inp) != NULL)
+					error = cr_cansee(req->td->td_ucred,
+					    intotw(inp)->tw_cred);
+				else
+					error = EINVAL;	/* Skip this inp. */
+			} else
 				error = cr_canseesocket(req->td->td_ucred,
 				    inp->inp_socket);
 			if (error == 0)
@@ -2323,8 +2326,15 @@ sysctl_drop(SYSCTL_HANDLER_ARGS)
 	if (inp != NULL) {
 		INP_LOCK(inp);
 		if (inp->inp_vflag & INP_TIMEWAIT) {
+			/*
+			 * XXXRW: There currently exists a state where an
+			 * inpcb is present, but its timewait state has been
+			 * discarded.  For now, don't allow dropping of this
+			 * type of inpcb.
+			 */
 			tw = intotw(inp);
-			tcp_twclose(tw, 0);
+			if (tw != NULL)
+				tcp_twclose(tw, 0);
 		} else if (!(inp->inp_vflag & INP_DROPPED) &&
 			   !(inp->inp_socket->so_options & SO_ACCEPTCONN)) {
 			tp = intotcpcb(inp);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 66e438d..465b958 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -946,10 +946,13 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 			 * TCP state changes, is not quite right, but for
 			 * now, better than nothing.
 			 */
-			if (inp->inp_vflag & INP_TIMEWAIT)
-				error = cr_cansee(req->td->td_ucred,
-				    intotw(inp)->tw_cred);
-			else
+			if (inp->inp_vflag & INP_TIMEWAIT) {
+				if (intotw(inp) != NULL)
+					error = cr_cansee(req->td->td_ucred,
+					    intotw(inp)->tw_cred);
+				else
+					error = EINVAL;	/* Skip this inp. */
+			} else
 				error = cr_canseesocket(req->td->td_ucred,
 				    inp->inp_socket);
 			if (error == 0)
@@ -2323,8 +2326,15 @@ sysctl_drop(SYSCTL_HANDLER_ARGS)
 	if (inp != NULL) {
 		INP_LOCK(inp);
 		if (inp->inp_vflag & INP_TIMEWAIT) {
+			/*
+			 * XXXRW: There currently exists a state where an
+			 * inpcb is present, but its timewait state has been
+			 * discarded.  For now, don't allow dropping of this
+			 * type of inpcb.
+			 */
 			tw = intotw(inp);
-			tcp_twclose(tw, 0);
+			if (tw != NULL)
+				tcp_twclose(tw, 0);
 		} else if (!(inp->inp_vflag & INP_DROPPED) &&
 			   !(inp->inp_socket->so_options & SO_ACCEPTCONN)) {
 			tp = intotcpcb(inp);