On Sun, Dec 02, 2018 at 09:29:23AM +0100, Claudio Jeker wrote:
> On Sat, Dec 01, 2018 at 06:44:31PM -0800, Greg Steuck wrote:
> > This thwarts the reproducer. Again, I don't know if the invariants are
> > getting violated somewhere else and the patch below is simply papering over
> > the symptoms.
>
> I would like to better understand how we get so far with a socket where
> so_pcb is not initiallized. This and also the other bug are baisically the
> same. The stack assumes that after a successful socket() operation both
> socket and pcb exist and are a connected. Since this seems to not be
> the case it is important to catch those errors further up in uipc_socket.c
> before passing down into protocol specific functions.
>
So the issue is the double connect() call on the SOCk_RAW socket.
The second connect is calling PRU_DISCONNECT which in the end does a
FALLTHROUGH into PRU_ABORT which removes the inp by calling
in_pcbdetach().
I think the proper fix is to not have this FALLTHROUGH and just call
soisdisconnected(). Maybe inp->inp_faddr should also be reset to 0.
This will fix also other double connect() SOCk_RAW crashes you spotted.
--
:wq Claudio
Index: raw_ip.c
===================================================================
RCS file: /cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.115
diff -u -p -r1.115 raw_ip.c
--- raw_ip.c 10 Nov 2018 18:40:34 -0000 1.115
+++ raw_ip.c 2 Dec 2018 09:52:58 -0000
@@ -385,7 +385,8 @@ rip_usrreq(struct socket *so, int req, s
error = ENOTCONN;
break;
}
- /* FALLTHROUGH */
+ soisdisconnected(so);
+ break;
case PRU_ABORT:
soisdisconnected(so);
if (inp == NULL)
