sdp: Use an mbufq for received control packets.
This is simpler than the hand-rolled queue, and fixes a use-after-free. Sponsored by: EMC / Isilon Storage Division
This commit is contained in:
markj
parent
62a56fa648
commit
f9f7369f3f
@ -403,8 +403,7 @@ struct sdp_sock {
|
||||
struct sdp_rx_ring rx_ring;
|
||||
struct sdp_tx_ring tx_ring;
|
||||
struct rwlock lock;
|
||||
struct mbuf *rx_ctl_q;
|
||||
struct mbuf *rx_ctl_tail;
|
||||
struct mbufq rxctlq; /* received control packets */
|
||||
|
||||
int qp_active; /* XXX Flag. */
|
||||
int max_sge;
|
||||
|
||||
@ -469,6 +469,7 @@ sdp_attach(struct socket *so, int proto, struct thread *td)
|
||||
ssk->flags = 0;
|
||||
ssk->qp_active = 0;
|
||||
ssk->state = TCPS_CLOSED;
|
||||
mbufq_init(&ssk->rxctlq, INT_MAX);
|
||||
SDP_LIST_WLOCK();
|
||||
LIST_INSERT_HEAD(&sdp_list, ssk, list);
|
||||
sdp_count++;
|
||||
|
||||
@ -459,14 +459,9 @@ sdp_process_rx_mb(struct sdp_sock *ssk, struct mbuf *mb)
|
||||
ntohl(rrch->len));
|
||||
}
|
||||
#endif
|
||||
mb->m_nextpkt = NULL;
|
||||
if (ssk->rx_ctl_tail)
|
||||
ssk->rx_ctl_tail->m_nextpkt = mb;
|
||||
else
|
||||
ssk->rx_ctl_q = mb;
|
||||
ssk->rx_ctl_tail = mb;
|
||||
|
||||
return 0;
|
||||
if (mbufq_enqueue(&ssk->rxctlq, mb) != 0)
|
||||
m_freem(mb);
|
||||
return (0);
|
||||
}
|
||||
|
||||
sdp_prf1(sk, NULL, "queueing %s mb\n", mid2str(h->mid));
|
||||
@ -611,11 +606,8 @@ sdp_do_posts(struct sdp_sock *ssk)
|
||||
return;
|
||||
}
|
||||
|
||||
while ((mb = ssk->rx_ctl_q)) {
|
||||
ssk->rx_ctl_q = mb->m_nextpkt;
|
||||
mb->m_nextpkt = NULL;
|
||||
while ((mb = mbufq_dequeue(&ssk->rxctlq)) != NULL)
|
||||
sdp_process_rx_ctl_mb(ssk, mb);
|
||||
}
|
||||
|
||||
if (ssk->state == TCPS_TIME_WAIT)
|
||||
return;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user