Date: Sun, 5 Jan 2003 08:22:10 +0100 From: Pierre Beyssac <pb@fasterix.frmug.org> To: Jeffrey Hsu <hsu@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet tcp_subr.c tcp_timer.c Message-ID: <20030105072210.GA880@fasterix.frmug.org> In-Reply-To: <200212242100.gBOL0VAJ073588@repoman.freebsd.org> References: <200212242100.gBOL0VAJ073588@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 24, 2002 at 01:00:31PM -0800, Jeffrey Hsu wrote:
> Modified files:
> sys/netinet tcp_subr.c tcp_timer.c
> Log:
> Validate inp to prevent an use after free.
This seems to reintroduce the panic at close() I fixed by revision
1.31 of tcp_syncache.c.
I think the following (UNTESTED) patch should be applied to keep
tcp_syncache.c up to date with this new semantics.
--- tcp_syncache.c.old Sun Dec 22 14:04:08 2002
+++ tcp_syncache.c Sun Jan 5 08:15:14 2003
@@ -386,7 +386,7 @@
inp = sc->sc_tp->t_inpcb;
if (slot == SYNCACHE_MAXREXMTS ||
slot >= tcp_syncache.rexmt_limit ||
- inp->inp_gencnt != sc->sc_inp_gencnt) {
+ inp == NULL) {
nsc = TAILQ_NEXT(sc, sc_timerq);
syncache_drop(sc, NULL);
tcpstat.tcps_sc_stale++;
--
Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105072210.GA880>