From owner-freebsd-current@FreeBSD.ORG  Mon Jan 31 13:14:46 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0A1AC16A4CE
	for <current@freebsd.org>; Mon, 31 Jan 2005 13:14:46 +0000 (GMT)
Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D76B643D3F
	for <current@freebsd.org>; Mon, 31 Jan 2005 13:14:45 +0000 (GMT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by cyrus.watson.org (Postfix) with SMTP id 4B98B46B0A;
	Mon, 31 Jan 2005 08:14:45 -0500 (EST)
Date: Mon, 31 Jan 2005 13:14:05 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Maxim Konovalov <maxim@macomnet.ru>
In-Reply-To: <20050131160414.S6885@mp2.macomnet.net>
Message-ID: <Pine.NEB.3.96L.1050131131132.35704E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@freebsd.org
Subject: Re: OpenBSD's tcpdrop(8)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2005 13:14:46 -0000


On Mon, 31 Jan 2005, Maxim Konovalov wrote:

> > The locking in the 6.x version looked reasonable, although you need to
> > check to see if the (tp) returned by tcp_drop() is NULL or not and then
> > conditionally unlock the inpcb if it's non-NULL -- otherwise you might
> > unlock a free'd inpcb.  There doesn't seem to be much validation of the
> > tcp_ident_mapping structure, such as validation that the address lengths,
> > etc, are correct?
> 
> I've updated the diff for HEAD.  How does it look now?  TIA! 

The locking needs slightly more tweaking -- note that you still need to
unlock (inp) if (tp = intotcpcb(inp)) returns NULL, and right now that
won't happen.  The "check tp for NULL" unlock case should only occur if
you call tcp_drop().  Perhaps something like this:

	INP_LOCK(inp);
	if ((tp = intotcpcb(inp)) &&
	    ((inp->inp_socket->so_options & SO_ACCEPTCONN) == 0)) {
		tp = tcp_drop(tp, ECONNABORTED);
		if (tp != NULL)
			INP_UNLOCK(inp);
	} else
		INP_UNLOCK(inp);

Robert N M Watson