In ip_ctloutput(), check for a NULL inpcb pointer before dereferencing,

as this can occur with TCP if protocol-layer socket options are set or queried after the connection has closed. There are still races associated with ip_ctloutput() and connection close with TCP, corrected in HEAD via a more comprehensive set of changes, but this fixes the trivial panic reported on several occasions. This is a RELENG_6_1 and RELENG_6_0 errata branch candidate. PR: 97095 Tested by: Stanislaw Halik <sthalik at tehran dot lain dot pl> MFC after: 3 days
2006-07-03 23:14:28 +00:00 · 2006-07-03 23:14:28 +00:00 · 573f176594
commit 573f176594
parent 3a5046ed40
1 changed files with 3 additions and 0 deletions
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -1162,6 +1162,9 @@ ip_ctloutput(so, sopt)
 		return (EINVAL);
 	}

+	if (inp == NULL)
+		return (EINVAL);
+
 	switch (sopt->sopt_dir) {
 	case SOPT_SET:
 		switch (sopt->sopt_name) {