Fix a potential use after free in getsockopt() access to inp_options
Discussed with: jhb Reviewed by: sbruno, transport MFC after: 2 weeks Sponsored by: Limelight Networks Differential Revision: https://reviews.freebsd.org/D14621
This commit is contained in:
parent
a6a9997976
commit
813f5d12cc
@ -1256,13 +1256,23 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
|
||||
switch (sopt->sopt_name) {
|
||||
case IP_OPTIONS:
|
||||
case IP_RETOPTS:
|
||||
if (inp->inp_options)
|
||||
error = sooptcopyout(sopt,
|
||||
mtod(inp->inp_options,
|
||||
char *),
|
||||
inp->inp_options->m_len);
|
||||
else
|
||||
INP_RLOCK(inp);
|
||||
if (inp->inp_options) {
|
||||
struct mbuf *options;
|
||||
|
||||
options = m_dup(inp->inp_options, M_NOWAIT);
|
||||
INP_RUNLOCK(inp);
|
||||
if (options != NULL) {
|
||||
error = sooptcopyout(sopt,
|
||||
mtod(options, char *),
|
||||
options->m_len);
|
||||
m_freem(options);
|
||||
} else
|
||||
error = ENOMEM;
|
||||
} else {
|
||||
INP_RUNLOCK(inp);
|
||||
sopt->sopt_valsize = 0;
|
||||
}
|
||||
break;
|
||||
|
||||
case IP_TOS:
|
||||
|
Loading…
Reference in New Issue
Block a user