Author: mmacy
Date: Tue Jul 3 23:30:53 2018
New Revision: 335919
URL: https://svnweb.freebsd.org/changeset/base/335919
Log:
udp6_input: validate inpcb before use
When traversing pcbinfo lists (rather than calling lookup) we need to
explicitly validate an inpcb before use.
Modified:
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet6/udp6_usrreq.c
==============================================================================
--- head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:29:18 2018
(r335918)
+++ head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:30:53 2018
(r335919)
@@ -355,6 +355,10 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
int blocked;
INP_RLOCK(inp);
+ if (__predict_false(inp->inp_flags2 &
INP_FREED)) {
+ INP_RUNLOCK(inp);
+ continue;
+ }
bzero(&mcaddr, sizeof(struct sockaddr_in6));
mcaddr.sin6_len = sizeof(struct sockaddr_in6);
@@ -382,10 +386,12 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) !=
NULL) {
INP_RLOCK(last);
- UDP_PROBE(receive, NULL, last, ip6,
- last, uh);
- if (udp6_append(last, n, off, fromsa))
- goto inp_lost;
+ if (__predict_true(inp->inp_flags2 &
INP_FREED) == 0) {
+ UDP_PROBE(receive, NULL, last,
ip6,
+ last, uh);
+ if (udp6_append(last, n, off,
fromsa))
+ goto inp_lost;
+ }
INP_RUNLOCK(last);
}
}
@@ -414,10 +420,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
goto badheadlocked;
}
INP_RLOCK(last);
- INP_INFO_RUNLOCK(pcbinfo);
- UDP_PROBE(receive, NULL, last, ip6, last, uh);
- if (udp6_append(last, m, off, fromsa) == 0)
+ if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
+ UDP_PROBE(receive, NULL, last, ip6, last, uh);
+ if (udp6_append(last, m, off, fromsa) == 0)
+ INP_RUNLOCK(last);
+ } else
INP_RUNLOCK(last);
+ INP_INFO_RUNLOCK(pcbinfo);
inp_lost:
return (IPPROTO_DONE);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
