From owner-cvs-all  Sat Jan  4 23:22:14 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AF17637B401; Sat,  4 Jan 2003 23:22:13 -0800 (PST)
Received: from fasterix.frmug.org (fasterix.frmug.org [137.194.36.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id CA8ED43E4A; Sat,  4 Jan 2003 23:22:12 -0800 (PST)
	(envelope-from pb@fasterix.frmug.org)
Received: from fasterix.frmug.org (localhost [127.0.0.1])
	by fasterix.frmug.org (8.12.6/8.12.5) with ESMTP id h057MAc2001054
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Sun, 5 Jan 2003 08:22:10 +0100 (CET)
	(envelope-from pb@fasterix.frmug.org)
Received: (from pb@localhost)
	by fasterix.frmug.org (8.12.6/8.12.6/Submit) id h057MAbD001053;
	Sun, 5 Jan 2003 08:22:10 +0100 (CET)
Date: Sun, 5 Jan 2003 08:22:10 +0100
From: Pierre Beyssac <pb@fasterix.frmug.org>
To: Jeffrey Hsu <hsu@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet tcp_subr.c tcp_timer.c
Message-ID: <20030105072210.GA880@fasterix.frmug.org>
References: <200212242100.gBOL0VAJ073588@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200212242100.gBOL0VAJ073588@repoman.freebsd.org>
User-Agent: Mutt/1.4i
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to worms and viruses
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Tue, Dec 24, 2002 at 01:00:31PM -0800, Jeffrey Hsu wrote:
>   Modified files:
>     sys/netinet          tcp_subr.c tcp_timer.c 
>   Log:
>   Validate inp to prevent an use after free.

This seems to reintroduce the panic at close() I fixed by revision
1.31 of tcp_syncache.c.

I think the following (UNTESTED) patch should be applied to keep
tcp_syncache.c up to date with this new semantics.

--- tcp_syncache.c.old  Sun Dec 22 14:04:08 2002
+++ tcp_syncache.c      Sun Jan  5 08:15:14 2003
@@ -386,7 +386,7 @@
                inp = sc->sc_tp->t_inpcb;
                if (slot == SYNCACHE_MAXREXMTS ||
                    slot >= tcp_syncache.rexmt_limit ||
-                   inp->inp_gencnt != sc->sc_inp_gencnt) {
+                   inp == NULL) {
                        nsc = TAILQ_NEXT(sc, sc_timerq);
                        syncache_drop(sc, NULL);
                        tcpstat.tcps_sc_stale++;

-- 
Pierre Beyssac	      	    pb@fasterix.frmug.org pb@fasterix.freenix.org
    Free domains: http://www.eu.org/ or mail dns-manager@EU.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message