CVS commit: src/sys/netinet6

[Maxime Villard]

Module Name:    src
Committed By:   maxv
Date:           Mon Feb 25 07:31:32 UTC 2019

Modified Files:
        src/sys/netinet6: udp6_usrreq.c

Log Message:
Fix the order in udp6_attach: soreserve should be called before
in6_pcballoc, otherwise if it fails there is still a PCB attached, and
we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a
memory leak.

By the way I find the splsoftnet highly suspicious, in6_pcballoc already
does that.

Triggered by SyzKaller.

Reported-by: syzbot+7bace612ca3cc3e12...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.146 -r1.147 src/sys/netinet6/udp6_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/udp6_usrreq.c
diff -u src/sys/netinet6/udp6_usrreq.c:1.146 src/sys/netinet6/udp6_usrreq.c:1.147
--- src/sys/netinet6/udp6_usrreq.c:1.146	Mon Jan 28 12:53:01 2019
+++ src/sys/netinet6/udp6_usrreq.c	Mon Feb 25 07:31:32 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $ */
+/* $NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $ */
 /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */
 /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
 
@@ -63,7 +63,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1045,6 +1045,11 @@ udp6_attach(struct socket *so, int proto
 	KASSERT(sotoin6pcb(so) == NULL);
 	sosetlock(so);
 
+	error = soreserve(so, udp6_sendspace, udp6_recvspace);
+	if (error) {
+		return error;
+	}
+
 	/*
 	 * MAPPED_ADDR implementation spec:
 	 *  Always attach for IPv6, and only when necessary for IPv4.
@@ -1055,10 +1060,7 @@ udp6_attach(struct socket *so, int proto
 	if (error) {
 		return error;
 	}
-	error = soreserve(so, udp6_sendspace, udp6_recvspace);
-	if (error) {
-		return error;
-	}
+
 	in6p = sotoin6pcb(so);
 	in6p->in6p_cksum = -1;	/* just to be sure */