> On 30. Oct 2022, at 06:52, Michael van Elst <mlel...@serpens.de> wrote:
>
> ozak...@netbsd.org (Ryota Ozaki) writes:
>
>> I've committed a possible fix. Could you try it?
>
>> Thanks,
>> ozaki-r
>
>
> I just got a NULL pointer dereference in tcp_ctloutput where
> the previous check for inp == NULL is also missing.
>
> [ 24837.756043] fp ffffc0016794db70 tcp_ctloutput() at ffffc000002ec4b4
> netbsd:tcp_ctloutput+0x94
> [ 24837.756043] fp ffffc0016794dcc0 tcp_ctloutput_wrapper() at
> ffffc000002d2680 netbsd:tcp_ctloutput_wrapper+-0x31150
> [ 24837.756043] fp ffffc0016794dcf0 sosetopt() at ffffc00000603cbc
> netbsd:sosetopt+0x78
> [ 24837.756043] fp ffffc0016794ddb0 sys_setsockopt() at ffffc0000060b0fc
> netbsd:sys_setsockopt+0x7c
> [ 24837.766041] fp ffffc0016794de20 syscall() at ffffc000000b30fc
> netbsd:syscall+0x19c
>
> That's:
>
> int
> tcp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
> {
> ...
> s = splsoftnet();
> inp = sotoinpcb(so);
> ...
> }
> tp = intotcpcb(inp); <---------
>
> switch (op) {... and Syzcaller (https://syzkaller.appspot.com/netbsd) has a bunch of new tcp related crashes starting ~2 days before ... -- J. Hannken-Illjes - hann...@mailbox.org
signature.asc
Description: Message signed with OpenPGP
