Fix a potential use after free in getsockopt() access to inp_options

Discussed with: jhb
Reviewed by:	sbruno, transport
MFC after:	2 weeks
Sponsored by:	Limelight Networks
Differential Revision:	https://reviews.freebsd.org/D14621
This commit is contained in:
mmacy 2018-07-22 20:02:14 +00:00
parent a6a9997976
commit 813f5d12cc

View File

@ -1256,13 +1256,23 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
switch (sopt->sopt_name) {
case IP_OPTIONS:
case IP_RETOPTS:
if (inp->inp_options)
error = sooptcopyout(sopt,
mtod(inp->inp_options,
char *),
inp->inp_options->m_len);
else
INP_RLOCK(inp);
if (inp->inp_options) {
struct mbuf *options;
options = m_dup(inp->inp_options, M_NOWAIT);
INP_RUNLOCK(inp);
if (options != NULL) {
error = sooptcopyout(sopt,
mtod(options, char *),
options->m_len);
m_freem(options);
} else
error = ENOMEM;
} else {
INP_RUNLOCK(inp);
sopt->sopt_valsize = 0;
}
break;
case IP_TOS: