d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tcp: remove goto and address another NULL deref in SACK

Browse Source 
Missed another NULL dereference during KASSERTS after traversing
the scoreboard. While at it, scratch the goto by making the
traversal conditional, and remove duplicate checks using an
unconditional loop with all checks inside.

Reviewed By:	hselasky
PR:		263445
MFC after:	1 week
Sponsored by:	NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D35428
This commit is contained in:
Richard Scheffenegger 2022-06-08 09:14:16 +02:00
parent c4c5981c14
commit ce2525c810
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
sys/netinet/tcp_sack.c
View File

@ -958,15 +958,17 @@ tcp_sack_output(struct tcpcb *tp, int *sack_bytes_rexmt)
hole = tp->sackhint.nexthole;
if (hole == NULL)
return (hole);
if (SEQ_LT(hole->rxmit, hole->end))
goto out;
while ((hole = TAILQ_NEXT(hole, scblink)) != NULL) {
if (SEQ_LT(hole->rxmit, hole->end)) {
tp->sackhint.nexthole = hole;
break;
if (SEQ_GEQ(hole->rxmit, hole->end)) {
for (;;) {
hole = TAILQ_NEXT(hole, scblink);
if (hole == NULL)
return (hole);
if (SEQ_LT(hole->rxmit, hole->end)) {
tp->sackhint.nexthole = hole;
break;
}
}
}
out:
KASSERT(SEQ_LT(hole->start, hole->end), ("%s: hole.start >= hole.end", __func__));
KASSERT(SEQ_LT(hole->start, tp->snd_fack), ("%s: hole.start >= snd.fack", __func__));
KASSERT(SEQ_LT(hole->end, tp->snd_fack), ("%s: hole.end >= snd.fack", __func__));