Date: Tue, 24 Oct 2006 13:23:04 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_output.c Message-ID: <200610241323.k9ODN4O1070476@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2006-10-24 13:23:03 UTC
FreeBSD src repository
Modified files: (Branch: RELENG_6)
sys/netinet ip_output.c
Log:
Reduce the size of a number of race windows in the TCP socket options
processing code: a RST may arrive during a socket option call, causing
the PCB to be freed, leading to an invalid pointer dereference. When
the kernel blocks in a socket option copyin or memory allocation (such
as during heavy paging), the race window is greatly widened. This
change re-validates the PCB pointer after returning from the copy/alloc
operation. This does not eliminate the problem, but does narrow the
window significantly (to the point where it may not be observed at all).
The proper fix is in 7.x, which significantly re-works the socket and
PCB code so that PCB's are not ripped out from under sockets on reset.
However, those changes are not appropriate for an MFC during a release
cycle. As a result, this is not an MFC, but new code crafted for 6.x.
PR: kern/102412
Reported by: Daniel Austin <daniel at kewlio dot net>
Tested by: Diane Bruce <db at db dot net>
Reviewed by: Diane Bruce <db at db dot net>
Approved by: re (kensmith)
Revision Changes Path
1.242.2.16 +18 -0 src/sys/netinet/ip_output.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610241323.k9ODN4O1070476>