From abe239cfe2512c8652a11e7ee53a8cc75be57d01 Mon Sep 17 00:00:00 2001 From: Jeffrey Hsu Date: Tue, 24 Dec 2002 21:00:31 +0000 Subject: [PATCH] Validate inp to prevent an use after free. --- sys/netinet/tcp_subr.c | 3 ++- sys/netinet/tcp_timer.c | 25 +++++++++++++++++++++++++ sys/netinet/tcp_timewait.c | 3 ++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 845df42b6fd4..46e32d9e684d 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -771,6 +771,7 @@ tcp_close(tp) FREE(q, M_TSEGQ); } inp->inp_ppcb = NULL; + tp->t_inpcb = NULL; soisdisconnected(so); #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) @@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno) /* * Look-up the routing entry to the peer of this inpcb. If no route - * is found and it cannot be allocated the return NULL. This routine + * is found and it cannot be allocated, then return NULL. This routine * is called by TCP routines that access the rmx structure and by tcp_mss * to get the interface MTU. */ diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c index bbfb9d6a746a..0c626b179084 100644 --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -178,6 +178,11 @@ tcp_timer_delack(xtp) s = splnet(); INP_INFO_RLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_RUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); INP_INFO_RUNLOCK(&tcbinfo); if (callout_pending(tp->tt_delack) || !callout_active(tp->tt_delack)) { @@ -209,6 +214,11 @@ tcp_timer_2msl(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_2msl) || !callout_active(tp->tt_2msl)) { INP_UNLOCK(tp->t_inpcb); @@ -257,6 +267,11 @@ tcp_timer_keep(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_keep) || !callout_active(tp->tt_keep)) { INP_UNLOCK(inp); @@ -341,6 +356,11 @@ tcp_timer_persist(xtp) s = splnet(); INP_INFO_WLOCK(&tcbinfo); inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_persist) || !callout_active(tp->tt_persist)){ INP_UNLOCK(inp); @@ -403,6 +423,11 @@ tcp_timer_rexmt(xtp) INP_INFO_WLOCK(&tcbinfo); headlocked = 1; inp = tp->t_inpcb; + if (!inp) { + INP_INFO_WUNLOCK(&tcbinfo); + splx(s); + return; + } INP_LOCK(inp); if (callout_pending(tp->tt_rexmt) || !callout_active(tp->tt_rexmt)) { INP_UNLOCK(inp); diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 845df42b6fd4..46e32d9e684d 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -771,6 +771,7 @@ tcp_close(tp) FREE(q, M_TSEGQ); } inp->inp_ppcb = NULL; + tp->t_inpcb = NULL; soisdisconnected(so); #ifdef INET6 if (INP_CHECK_SOCKAF(so, AF_INET6)) @@ -1427,7 +1428,7 @@ tcp_mtudisc(inp, errno) /* * Look-up the routing entry to the peer of this inpcb. If no route - * is found and it cannot be allocated the return NULL. This routine + * is found and it cannot be allocated, then return NULL. This routine * is called by TCP routines that access the rmx structure and by tcp_mss * to get the interface MTU. */