summaryrefslogtreecommitdiffstats
path: root/sys/netinet
diff options
context:
space:
mode:
authortegge <tegge@FreeBSD.org>1999-06-16 19:05:17 +0000
committertegge <tegge@FreeBSD.org>1999-06-16 19:05:17 +0000
commita427e410f252fd837455954e644f85ba6e8bdd52 (patch)
tree35cc3277ceade45c094482debe1bed189e0f7383 /sys/netinet
parent9ff44d83fe22b084e700851e4c32720491d3a8d7 (diff)
downloadFreeBSD-src-a427e410f252fd837455954e644f85ba6e8bdd52.zip
FreeBSD-src-a427e410f252fd837455954e644f85ba6e8bdd52.tar.gz
Close a race window where a tcp socket is closed while tcp_pcblist is
copying out tcp socket info, causing a NULL pointer to be dereferenced.
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/tcp_subr.c9
-rw-r--r--sys/netinet/tcp_timewait.c9
2 files changed, 14 insertions, 4 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 8858b18..7560313 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
- * $Id: tcp_subr.c,v 1.53 1999/04/28 11:37:49 phk Exp $
+ * $Id: tcp_subr.c,v 1.54 1999/05/03 23:57:31 billf Exp $
*/
#include "opt_compat.h"
@@ -552,10 +552,15 @@ tcp_pcblist SYSCTL_HANDLER_ARGS
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xtcpcb xt;
+ caddr_t inp_ppcb;
xt.xt_len = sizeof xt;
/* XXX should avoid extra copy */
bcopy(inp, &xt.xt_inp, sizeof *inp);
- bcopy(inp->inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
+ inp_ppcb = inp->inp_ppcb;
+ if (inp_ppcb != NULL)
+ bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
+ else
+ bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
if (inp->inp_socket)
sotoxsocket(inp->inp_socket, &xt.xt_socket);
error = SYSCTL_OUT(req, &xt, sizeof xt);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 8858b18..7560313 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
- * $Id: tcp_subr.c,v 1.53 1999/04/28 11:37:49 phk Exp $
+ * $Id: tcp_subr.c,v 1.54 1999/05/03 23:57:31 billf Exp $
*/
#include "opt_compat.h"
@@ -552,10 +552,15 @@ tcp_pcblist SYSCTL_HANDLER_ARGS
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xtcpcb xt;
+ caddr_t inp_ppcb;
xt.xt_len = sizeof xt;
/* XXX should avoid extra copy */
bcopy(inp, &xt.xt_inp, sizeof *inp);
- bcopy(inp->inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
+ inp_ppcb = inp->inp_ppcb;
+ if (inp_ppcb != NULL)
+ bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
+ else
+ bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
if (inp->inp_socket)
sotoxsocket(inp->inp_socket, &xt.xt_socket);
error = SYSCTL_OUT(req, &xt, sizeof xt);
OpenPOWER on IntegriCloud