Date: Sat, 14 Jan 2012 05:03:01 +0100 From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= <clemun@gmail.com> To: freebsd-security@freebsd.org Subject: Double SCTP_INP_RUNLOCK() in SCTP result in KP Message-ID: <CAKSJdACFPgQLJ%2Bh1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, In sctp_ussreq.c, lines are based from HEAD: 3041 SCTP_INP_RUNLOCK(inp); 3042 onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO); 3043 SCTP_INP_RUNLOCK(inp); The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo? That results in an easily user triggerable kernel panic through getsockopt(). I don't think user can do something evil with this double unlock which result in a kernel panic due to a NULL dereference in mtx_unlock() on my fresh FreeBSD 9.0. Bests, -clem1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKSJdACFPgQLJ%2Bh1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A>