Date: Mon, 25 Feb 2019 12:35:52 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r344516 - stable/12/sys/netinet Message-ID: <201902251235.x1PCZqEj029912@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Mon Feb 25 12:35:52 2019 New Revision: 344516 URL: https://svnweb.freebsd.org/changeset/base/344516 Log: MFC r344428: This patch addresses an issue brought up by bz@ in D18968: When TCP_REASS_LOGGING is defined, a NULL pointer dereference would happen, if user data was received during the TCP handshake and BB logging is used. A KASSERT is also added to detect tcp_reass() calls with illegal parameter combinations. Reported by: bz@ Reviewed by: rrs@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19254 Modified: stable/12/sys/netinet/tcp_reass.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/tcp_reass.c ============================================================================== --- stable/12/sys/netinet/tcp_reass.c Mon Feb 25 12:33:11 2019 (r344515) +++ stable/12/sys/netinet/tcp_reass.c Mon Feb 25 12:35:52 2019 (r344516) @@ -542,6 +542,10 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq * and should be rewritten (see NetBSD for optimizations). */ + KASSERT(th == NULL || (seq_start != NULL && tlenp != NULL), + ("tcp_reass called with illegal parameter combination " + "(tp=%p, th=%p, seq_start=%p, tlenp=%p, m=%p)", + tp, th, seq_start, tlenp, m)); /* * Call with th==NULL after become established to * force pre-ESTABLISHED data up to user socket. @@ -1062,12 +1066,20 @@ present: } else { #ifdef TCP_REASS_LOGGING tcp_reass_log_new_in(tp, q->tqe_start, q->tqe_len, q->tqe_m, TCP_R_LOG_READ, q); - tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1); + if (th != NULL) { + tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1); + } else { + tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 1); + } #endif sbappendstream_locked(&so->so_rcv, q->tqe_m, 0); } #ifdef TCP_REASS_LOGGING - tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2); + if (th != NULL) { + tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2); + } else { + tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 2); + } #endif KASSERT(tp->t_segqmbuflen >= q->tqe_mbuf_cnt, ("tp:%p seg queue goes negative", tp)); @@ -1083,7 +1095,11 @@ present: tp, &tp->t_segq, tp->t_segqmbuflen); #else #ifdef TCP_REASS_LOGGING - tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0); + if (th != NULL) { + tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0); + } else { + tcp_log_reassm(tp, NULL, NULL, 0, 0, TCP_R_LOG_ZERO, 0); + } #endif tp->t_segqmbuflen = 0; #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902251235.x1PCZqEj029912>