CVS: cvs.openbsd.org: src

Alexander Bluhm Thu, 12 Jun 2025 12:10:56 -0700

CVSROOT:        /cvs
Module name:    src
Changes by:     bl...@cvs.openbsd.org   2025/06/12 13:10:17


Modified files:
        sys/netinet    : tcp_input.c 

Log message:
Fix use-after-free of inpcb.

In tcp_input.c rev 1.451 a socket leak was fixed which introduced
a use-after-free of the inpcb.  If syn_cache_get() goes to the
resetandabort case, the listen inpcb is stored in listeninp and
inp.  There the call to in_pcbunref(inp) accidently frees the listen
socket.  After copying inp to listeninp, set inp to NULL.

Reported-by: syzbot+42a7b662604561ceb...@syzkaller.appspotmail.com
Reported-by: syzbot+05b4b109c89033489...@syzkaller.appspotmail.com
OK deraadt@ claudio@

CVS: cvs.openbsd.org: src

Reply via email to