CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2025/06/12 13:10:17
Modified files:
sys/netinet : tcp_input.c
Log message:
Fix use-after-free of inpcb.
In tcp_input.c rev 1.451 a socket leak was fixed which introduced
a use-after-free of the inpcb. If syn_cache_get() goes to the
resetandabort case, the listen inpcb is stored in listeninp and
inp. There the call to in_pcbunref(inp) accidently frees the listen
socket. After copying inp to listeninp, set inp to NULL.
Reported-by: [email protected]
Reported-by: [email protected]
OK deraadt@ claudio@
